In the current zero-day exploit market, it's common to pay out six figures for a single exploit, and now Microsoft has thrown open the door and invited more security-minded individuals to compete for the $100,000 prize. Granted Microsoft words it differently than a pay-for-bugs plan, instead saying its bounty evolution plan, which was "designed to change the dynamics and the economics of the current vulnerability market," will pay for mitigation bypass techniques. But as Andrew Storms, director of DevOps at CloudPassage, pointed out, it's "very much riding the line of paying for zero-days."
"We are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild." Katie Moussouris, Microsoft senior security strategist lead, wrote on the BlueHat blog, "Now, both finders and discoverers can turn in new techniques for $100,000."
This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.
Microsoft believes that new mitigation bypass techniques are "much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug - hence, we are willing to pay $100,000 for these rare new techniques."
Yet however Microsoft chooses to word it, Storms said, "It sure does seem to boil down to a person or organization has gotten their hands on a new attack method and they turn it over to Microsoft for a payout. Although I guess you could say that they are paying for a technique instead of a payload."
Denying this new program is a bug bounty is "splitting hairs," according to Chris Wysopal, co-founder and CTO of Veracode. "It's only for mitigation bypasses; it's not just for any zero-day bug. They're not paying for a zero-day [vulnerability] in Windows XP, for example."
So how can you try for a piece of the exploit money pie? "To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we'll accept an entry of technical write-up and proof of concept code for bounty consideration."
The prequalification requirement before submitting could be "so that one black hat couldn't get paid for stealing from another black hat," said Wysopal. "They're trying to make sure that only white hat, legitimate incident responders, get the money."
In the end, Microsoft said that "evolving the bounty landscape" will benefit its customers. It could possibly give the government a heads up advantage as well, since Microsoft "provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix." Bloomberg reported that "information can be used to protect government computers and to access the computers of terrorists or military foes." However, "Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government 'an early start' on risk assessment and mitigation."
But nearly everyone seems to be in the market for zero-days; a report earlier this year claimed that the U.S. government is the biggest buyer of zero-day vulnerabilities. Even the NSA contracts with zero-day exploit vendors like the French firm Vupen Security. In fact, Professor Ross Anderson, of the University of Cambridge, previously told TechWeekEurope that "researchers are purposefully placing bugs in open source software during the development stages, so that when code appears in completed products, those same researchers can highlight the flaws and profit from them where companies are willing to pay."
When it comes to Microsoft changing its $100,000 bug bounty program to now include 'responders and forensic experts who find active attacks in the wild', "the idea is to reduce the amount of time that a new technique is useful for attackers." But you can expect more changes coming to the bounty program, since Moussouris told ThreatPost, "I have some other things up my sleeve."
Like this? Here's more posts:
- How Microsoft invented, or invisibly runs, almost everything
- Microsoft cybersecurity report warns users about the evils of clinging to XP
- Wireless feature disabled on pacemaker to stop hackers from assassinating Cheney
- FBStalker and GeoStalker data mining tools can dig into your life
- CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service
- That's no poltergeist invading your privacy: Spooky spying hacks make homes seem haunted
- Most parents allow unsupervised internet access to children at age 8
- Not even Microsofties trust Microsoft’s approach to privacy
- Captain Justice: Epic legal trolling reply to govt's motion to ban the word 'government'
- Chris Hemsworth goes to 'nerd school' for hacking in cyber-terrorism thriller 'Cyber'
- Ex-NSA chief Michael Hayden got schooled on how much eavesdropping stinks
- Eavesdropping made easy: Remote spying with WeMo Baby and an iPhone
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited