For years, Microsoft has resisted calls by information security researchers to launch a formal bug bounty program. Today, Microsoft finally responded by unveiling a trio of bug bounty initiatives. Microsoft is also upping the ante by hosting a live security event at the upcoming Black Hat conference where researchers can bring and demonstrate their mitigations.
The new bug bounty programs include the Mitigation Bypass Bounty, which will earn security researchers up to $100,000. The Mitigation Bypass is for research that demonstrates what Microsoft refers to as “truly novel exploitation techniques” against Windows 8.1 Preview. Microsoft will also pay up to $11,000 for bugs that researchers find in the IE 11 Preview browser.
An additional $50,000 is on the table for researchers that provide defensive techniques to Microsoft that can block offensive bypass techniques.
While the launch of the bug bounty program is new, in some respects it is a follow-up to an effort Microsoft engaged in last year. The Blue Hat Prize was awarded at the 2011 Black Hat event and gave researchers a total of $260,000 in prize money.
“The BlueHat Bonus for Defense Program is the logical continuation of the 2011-12 standalone BlueHat Prize contest, since both seek defensive solutions to significant exploitation techniques,” Dustin Childs, group manager for Response Communications, Microsoft Trustworthy Computing, told eSecurity Planet. “All three winning entries in the BlueHat Prize Contest concerned defenses against Return Oriented Programming (ROP), a well-known mitigation-bypass technique.”
What About IE 10?
From a production code perspective, Microsoft’s new bounty efforts on the browser do not directly relate to IE 10 or prior versions. Other research groups such as the HP Zero Day Initiative already offer bounties for IE 10 vulnerabilities.
“After evaluating other bounty programs from vendors and brokers, we believe that starting with a Preview-period bounty on a specific product suits Microsoft’s development process and fills a gap in the existing vulnerability marketplace,” Childs said. “Addressing as many of these issues as possible prior to release also causes the least disruption to our customers.”
Andrew Storms, director of security operations for Tripwire, noted that Microsoft’s first bug bounty program is somewhat limited because it is just for IE 11 and limited to a one-month period. That said, he’s still optimistic about the program.
“Microsoft’s program might not be as extensive as some other vendors, but it’s still a significant step for them and will definitely benefit consumers.” Storms said.
Black Hat plans
As was the case with the Blue Hat Prize in 2012, Microsoft is using the Black Hat conference as a venue to help promote its security efforts. At Black Hat 2013, Microsoft is inviting any researcher who is interested to participate in a live event for the Mitigation Bypass Bounty.
Trey Ford, general manager of Black Hat, told eSecurity Planet that many researchers put in a great deal of work, often with no thanks, appreciation, or payment.
“Black Hat advocates improving conversations around security,” Ford said. “We laugh about how the age of innocence has passed – the days of a legal gag order for researchers trying to innocently advise a software company of a vulnerability have long since passed.”
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.