Microsoft has long been reluctant to pay security researchers for vulnerabilities they find in the company's software. But on Wednesday, the software giant announced a bug bounty plan that offers direct cash payouts to researchers.
"Today is an inflection point for Microsoft, as well as the security industry," Katie Moussouris, senior security strategist, Microsoft Security Research Center, wrote in a blog post. "We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community."
Microsoft is offering three bug bounty programs. Through its Mitigation Bypass Bounty program, the company will pay up to $100,000 for novel exploitation techniques against protections built into the latest version of Windows. In BlueHat Bonus For Defense, Microsoft will pay up to $50,000 for defensive ideas that accompany a qualifying submission to the Mitigation Bypass Bounty program.
The third program will pay up to $11,000 for researchers who find critical vulnerabilities affecting Internet Explorer Preview on Windows 8.1 Preview. While the other two programs will be ongoing, this one will run a limited time, from June 26 through July 26. Details are available here.
While Microsoft dragged its heels in rolling out a bug bounty program, other companies like Google and Mozilla have been offering security researchers cash rewards for a few years now. Google launched its bug bounty program in 2010 and earlier this month increased its payout for cross-site scripting bugs to $7,500, up from $3,133, and will now pay $7,500 instead of $5,000 for significant authentication bypass/information leaks. Other companies offering bug bounties include Facebook and Paypal.
In a blog post, Chris Wysopal, co-founder and CTO at application security company Veracode, said he was a little surprised it took Microsoft this long to create a bug bounty program. But he called Microsoft's effort a second-generation bug bounty program.
"With the rise of sandboxes for apps and improvements in exploit mitigations in compilers and OSes we are seeing that mitigation bypasses are where all the real action is," he wrote of the Mitigation Bypass Bounty program. "By recognizing this, Microsoft has built a better bounty program. By fixing mitigation bypass vulnerabilities Microsoft can help secure software written by other vendors for the Windows platform. So in a way this is a platform bug bounty program, not just a program for one vendor."
By paying bounties for Internet Explorer 11 bugs only for a 30-day beta period, Microsoft is incenting bug disclosure before the product is in wide use, Wysopal wrote. "Researchers often gripe that they are performing QA for the vendor and they should get paid. A bug bounty program during beta makes this a reality," he wrote.
Wysopal noted that vendor bug bounty programs like Microsoft's are forced to compete with the open market for vulnerabilities, where researchers sell exploits to governments--or anyone with cash--instead of informing the vendor. "The growth of this market and its potential to grow more is part of the equation any vendor uses to decide whether or not to have a bounty program and what to set bounty values at," he noted.