Microsoft's Bug Bounty Program expands: Snitches welcome?

Microsoft wants to take a bite out of the exploit market, and has opened its Bug Bounty Program up beyond the usual scope of hackers and researchers.
Written by Violet Blue, Contributor

Microsoft's Bug Bounty Program is taking aim at the black market for exploits, expanding the pool beyond researchers while offering its $100K to those willing to rat out active exploits.

The move was described by Microsoft's Senior Security Strategist Katie Moussouris as "designed to further disrupt the vulnerability and exploit markets."

Microsoft Bug Bounty Snitches

Microsoft's new "Bounty Evolution" changes the game from giving payoffs to those who invent new mitigation bypass techniques to include squeaky wheels who find or "discover" new attacks in the wild.

So if you know of any exploitation attacks currently in use against Microsoft (Windows 8.1), and you're willing to sing for your supper, Microsoft's expanded bug bounty program operators are standing by - and they'll pay $100K.

Snitches welcome?

Now, it's not just hackers and professional researchers who can cash in on Microsoft's $100,000 bounty: forensic experts, organizations and responders can try to get their slice of the "Blue Hat" exploit pie, too.

While Microsoft's door is now apparently always open for anyone who wants to sing, Microsoft says that anyone who wants to play ball with the Blue Hats has to first send an email to doa [at] microsoft [dot] com to pre-register with an agreement, but then "we'll accept an entry of technical write-up and proof of concept code for bounty consideration."

Going after the black market for exploits is a noble enough dream, but it's hard not to wonder if Microsoft's $100K is enough to flip the kind of tricks they want to pull out of the wild on their products.

That's not to say they don't have tasty enough bait: Microsoft's Bug Bounty program is young, successful and saw its first fat, high-profile payout within four months of its launch.

It bolted out of the gate ahead of the pack when it launched in June. Unlike other programs, it pays for new attack and defense techniques in regard to the latest Windows operating system; those submitting novel defense techniques can nab up to $50K.

In October, British security researcher James Forshaw took the first $100,000 prize when he discovered and reported a bypass of Windows memory protections, the details of which Microsoft disallowed him to disclose.

"Dead or alive"

Microsoft's new play essentially expands its field of potential exploit traders from scattered individuals who invent, to potentially thousands who find, meaning Microsoft is trying to angle itself into a new arena of deal making.

Moussouris explained in Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive,

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. 

Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. 

By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

She explained that Microsoft will pay cash on the barrelhead for anyone who drags in an exploit "dead or alive."

Meaning, Microsoft will pay for an attacks that's fresh and shiny, with no miles on it - and it'll also pay up for exploits with teeth, those currently being used against Microsoft.

We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.

The success of the program thus far bodes well for Moussouris' campaign.

But for now, the jury's out on whether the program has enough juice to move the exploit market's meter from black to blue.

Editorial standards