Microsoft Offers to Pay for Software Bugs
In a startling move, Microsoft caved in to industry pressures today and announced that, for the first time, it would be offering cash rewards for security vulnerabilities in its software — a "bug bounty," in hacker parlance.
"Friends, hackers, researchers! Want to help us protect customers, making some of our most popular products better? And earn money doing so? Step right up," Microsoft's "BlueHat" security-research team said in an online posting.
The bug-bounty programs — there are three of them, but one is temporary — begin next Wednesday (June 26).
For "truly novel exploitation techniques" against the latest version of Windows (8.1 Preview), Microsoft will pay up to $100,000 cash. For defenses against those novel exploitation techniques, the company will pony a bonus of up to $50,000.
And for a month, anyone who discovers a critical flaw in the beta (working test) version of Internet Explorer 11 will get up to $11,000. (It's generally less difficult to find a flaw than to develop a working exploit of that flaw, hence the lower price.)
"This is a big step forward for Microsoft consumers because it should result in fewer bugs in released products," said Andrew Storms, director of security operations for Portland, Ore.-based enterprise-security provider Tripwire, in a statement. "It's also great for security researchers, since they now have incentives to find and report Microsoft bugs instead of using them in less beneficial ways."
Those "less beneficial ways" include actively exploiting the flaw, or, more commonly, selling it on the black market. In years past, successful bug hunters could expect only honor and, often, a well-paying job, as a reward for finding software flaws, but that has changed.
"Instead of pimping your vuln for fame, you can now sell it to an interested party, such as Russian organized crime, Chinese spies or the NSA cyberwarriors," wrote Robert Graham, CEO of Errata Security in Atlanta, in a company blog posting. "The right bug, to the right customer, at the right time, can be worth $1 million."
At a security conference in 2009, several prominent researchers began a protest movement against stingy software companies. Proclaiming "No More Free Bugs," they demanded to be paid for the flaws the companies' own researchers couldn't find.
"Vulnerabilities have a market value, so it makes no sense to work hard to find a bug, write an exploit and then give it away," said famed Apple hacker Charlie Miller, now working for Twitter, in a ZDNet interview at the time. "Apple pays people to do the same job, so we know there's value to this work."
The next year, Google started paying out for online software flaws, and now famously offers oodles of cash to anyone who can crack the Chrome browser or the associated Chrome operating system. Facebook began its own program in 2011. (Apple still doesn't pay.)
Microsoft held out as long as it could, possibly because its dominance in PC software allowed it to. It tested the waters with a security contest at last summer's Black Hat security conference in Las Vegas, awarding a young Ph.D. student $200,000 for coming up with new defenses against complex attacks.
But the rise of a semi-legal trading market in software flaws — a few companies in Europe base their businesses on selling vulnerabilities to Western intelligence services — has forced the company's hand.
"The research told us that the majority of [security researchers] were going through brokers," Microsoft security strategist Katie Moussouris told the Threatpost security blog. "If we can find these holes as early as possible, we can protect against whole classes of attack. We don't want to wait for a third party."