Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Microsoft Offers Up To $100,000 For Bugs

Microsoft has long been reluctant to pay security researchers for vulnerabilities they find in the company's software. But on Wednesday, the software giant announced a bug bounty plan that offers direct cash payouts to researchers.

"Today is an inflection point for Microsoft, as well as the security industry," Katie Moussouris, senior security strategist, Microsoft Security Research Center, wrote in a blog post. "We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community."

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Microsoft is offering three bug bounty programs. Through its Mitigation Bypass Bounty program, the company will pay up to $100,000 for novel exploitation techniques against protections built into the latest version of Windows. In BlueHat Bonus For Defense, Microsoft will pay up to $50,000 for defensive ideas that accompany a qualifying submission to the Mitigation Bypass Bounty program.

The third program will pay up to $11,000 for researchers who find critical vulnerabilities affecting Internet Explorer Preview on Windows 8.1 Preview. While the other two programs will be ongoing, this one will run a limited time, from June 26 through July 26. Details are available here.

While Microsoft dragged its heels in rolling out a bug bounty program, other companies like Google and Mozilla have been offering security researchers cash rewards for a few years now. Google launched its bug bounty program in 2010 and earlier this month increased its payout for cross-site scripting bugs to $7,500, up from $3,133, and will now pay $7,500 instead of $5,000 for significant authentication bypass/information leaks. Other companies offering bug bounties include Facebook and Paypal.

In a blog post, Chris Wysopal, co-founder and CTO at application security company Veracode, said he was a little surprised it took Microsoft this long to create a bug bounty program. But he called Microsoft's effort a second-generation bug bounty program.

"With the rise of sandboxes for apps and improvements in exploit mitigations in compilers and OSes we are seeing that mitigation bypasses are where all the real action is," he wrote of the Mitigation Bypass Bounty program. "By recognizing this, Microsoft has built a better bounty program. By fixing mitigation bypass vulnerabilities Microsoft can help secure software written by other vendors for the Windows platform. So in a way this is a platform bug bounty program, not just a program for one vendor."

By paying bounties for Internet Explorer 11 bugs only for a 30-day beta period, Microsoft is incenting bug disclosure before the product is in wide use, Wysopal wrote. "Researchers often gripe that they are performing QA for the vendor and they should get paid. A bug bounty program during beta makes this a reality," he wrote.

Wysopal noted that vendor bug bounty programs like Microsoft's are forced to compete with the open market for vulnerabilities, where researchers sell exploits to governments--or anyone with cash--instead of informing the vendor. "The growth of this market and its potential to grow more is part of the equation any vendor uses to decide whether or not to have a bounty program and what to set bounty values at," he noted.

Marcia Savage is managing editor at Network Computing.


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers