Microsoft unleashes bug bounty program — for betas, too

The software giant's bug bounty program will aim to fix security flaws, bugs, and vulnerabilities even before products are released.
Written by Zack Whittaker, Contributor
IE9 under a zero-day attack before a Patch Tuesday in February. Microsoft wants to reward those who discover serious security flaws even before its software is released.
Image: Rapid7

Microsoft on Wednesday announced it will launch a "bug bounty" program, designed to stamp out security vulnerabilities in its software before and after its products are launched.

The software giant has previously offered as much as $250,000 for security vulnerabilities disclosed as part of its BlueHat prize during contests, but the company had yet to offer a long-term, ongoing bug bounty program to encourage researchers to find flaws in its products.

"This is the smartest thing we can do," Katie Moussouris, senior security strategist lead at Microsoft Security Response Center (MSRC), told ZDNet on the phone. "We evaluated what researchers were doing, and we noticed the reporting trend was changing. A few years ago, most researchers were going to Microsoft directly. We want to bring that back."

But the twist in the tale is that these bug bounty programs will specifically include the company's pre-release software, such as Internet Explorer 11 preview, which will be included with Windows 8.1 ("Blue") on June 26, helping Microsoft stamp out bugs before its products are released into the wider population.

There's a method to this apparent madness. According to the company, most IE 10 security bugs were disclosed after the browser was pushed out into the wild because only then could the researcher receive a financial bounty for their discoveries through a third-party broker. 

"Most [third-party] brokers don't offer beta bounties. When brokers offered money, researchers reported them, so during the betas there was no incentive to report them. Microsoft wants to fill that gap," Moussouris said. 

Microsoft's projections for IE 11, with this beta bug bounty, is that more disclosures will occur sooner rather than later while the product is still in a smaller pool of developers and beta testers.

The company is splitting its security strengthening efforts across three programs:

The first is a "mitigation bypass bounty," which will pay out up to $100,000 per bypass to security researchers who find truly novel exploitation techniques that bypass the platform-level security layer. As Moussouris described it, it's like finding "holes in the shield," which helps Microsoft build a better protection against entire classes off attack.

Dubbed the BlueHat Bonus for Defense, the second program gives researchers the opportunity to receive $50,000 extra if they submit a defensive idea in form of a technical whitepaper that can help block their newly discovered new attack.

IE 11 will remain an integral part of Windows 8.1 while at the same time being a continued target for hackers and malware writers. So, with the third program, Microsoft is offering up to $11,000 per critical-severity vulnerability to researchers. 

For the IE 11 preview, the payout structure works like this:

Image: Microsoft

All three of these programs start on June 26 and continue on an ongoing basis, with the exception of the IE 11 preview bug bounty, which ends a month later on July 26.

Moussouris said the first two programs will help protect Microsoft's desktop platforms. "But we'll see where the programs take us," regarding its cloud and Web-based technologies, such as Azure, Office 365, and the Xbox Live platform.

For Microsoft, getting the security vulnerabilities squashed earlier rather than later is its primary motivation. And asked about rival companies, such as Google researchers, discovering bugs and flaws in its software, Microsoft doesn't mind paying out. "As long as it's OK with your employer, any researcher can participate."

And, learning from PayPal's recent bluff by refusing to pay out to a bug-finding teenager because he fell under the age requirement, Microsoft has opened up the doors to those 14 years of age or older, realizing that younger developers should still be able to participate.

"If you are at least 14 years old, but are considered a minor in your place of residence, you need to ask your parent's or legal guardian’s permission prior to participating in this program," the bug bounty program guidelines state.

On one part, Microsoft is building a better constructive relationship with the security researcher. But at the same time, the company could be seen as employing a "keep your enemies closer" approach. And if the end result is that 90 percent of the world's users have more secure software and platforms, it's a win-win for all involved.

Editorial standards