Microsoft Dangles “Mitigation Bypass Bounty” of $100,000 for Exploit Techniques That Can be Used Against Windows
Microsoft will pay security researchers for issues they uncover in the preview versions of Windows 8.1 and Internet Explorer 11 (IE11) as part of its own bounty program.
Microsoft announced three different programs on Wednesday, but only the program for IE11 matches the structure of a traditional bug bounty program. The other two focuses on getting researchers to work on "truly novel exploit techniques" that could bypass existing defenses in Windows 8.1 preview, and new defensive methods that could block exploitation techniques, Katie Moussouris, a senior security strategist lead at Microsoft Trustworthy Computing, told SecurityWeek. The programs all kick off next week, on June 26, when the previews versions of IE11 and Windows 8.1 become available.
Microsoft is "committed to security from ground up," and the goal is to have "secure products before they're even released," Moussouris said. The final version of Windows 8.1 is not expected before the end of the year.
The Mitigation Bypass Bounty is "seeking holes in the shield," Microsoft said, and will offer researchers $100,000 a piece for truly novel exploit techniques that can be used against the latest publicly available of version, beginning with Windows 8.1 preview, Moussouris said. This refers to techniques that are unknown to Microsoft and are not currently unused in the wild against other products.
The methods must be reliable, reasonable, generic—applicable to one or more common memory corruption vulnerability classes—and impactful, meaning they affect high-risk applications such as browsers and document readers, according to Microsoft's submission guidelines.
Attackers use return-oriented programming techniques to defeat Data Execution Prevention (DEP) and address space layout randomization (ASLR) in various products. This program will help security teams get ahead of new tricks attackers may employ, Moussouris said.
The BlueHat Bonus for Defense offers researchers $50,000 per technical whitepaper which describes a defensive idea that could "effectively block an exploitation technique." This program focuses on creating new defenses that can block bypasses for the latest publicly available version of Windows, beginning with Windows 8.1 preview.
The IE11 Preview Bug Bounty program "is all about the vulns [vulnerabilities]," Moussouris said. Researchers will be paid up to $11,000 per critical vulnerability identified over a 30-day period, from June 26 to July 26. The critical issues have to affect IE11 running on Windows 8.1 preview.
There will be four tiers in the IE11 program. ASLR information disclosure vulnerabilities will pay out approximately $500, and design-level flaws, issues with privacy implications, and sandbox escape vulnerabilities will likely pay $1,100. Remote code execution vulnerabilities can net researchers the maximum payment of $11,000, or even more if the RCE flaw can also escape the sandbox, according to Microsoft.
While Microsoft's own security team will verify each submission, as soon as vulnerability or exploit has been verified, the researcher will be paid, Moussouris said. Researchers will not have to wait till Microsoft figures out how to mitigate the issues.
Unlike many of its counterparts in the industry, Microsoft has never really embraced the concept of offering bug bounties for vulnerability research. While Google has doled out thousands of dollars each quarter to researchers for finding vulnerabilities in its Chrome Web browser, and Mozilla Foundation for its Firefox browser and Thunderbird email client, Microsoft has generally chosen to work with developers directly without the bug bounty structure.
Microsoft's "researcher engagement" over the past 10 years included sending the company's security team to Poland to meet with the people who discovered the Blaster worm back in 2003, launching Blue Hat briefings, and awarding $260,000 in cash prizes as part of the BlueHat competition last year, she said. Microsoft has awarded penetration testing contracts to researchers in the past to collect vulnerability information in certain products.
In recent years, many researchers have stopped reporting security issues directly to Microsoft and have started working with various vulnerability "brokers" who typically pay out generous amounts in exchange for these reports, Moussouris said. Microsoft didn't have a problem with this shift, except for one thing. These brokers generally are not interested in information about products that have not yet been released but are available in preview. Microsoft was concerned that these beta products were not getting necessary researcher attention to ensure serious vulnerabilities are identified and fixed before the final release.
This is where the three bounty programs come in. While Microsoft will continue to engage with researchers on security topics, there are many who are not able to take penetration testing contracts or otherwise work with Microsoft on a formal basis. The programs will broaden the group of available testers and bring in more people, Moussouris said.
At the end of the day, it's about "getting the vulnerability as early in the process as possible," said Moussouris.