Microsoft has expanded its security bounty program in the hopes of keeping sophisticated Windows exploits off the black market.
Microsoft will now accept Windows bypass techniques that are have been seen in active use in the wild for its $100,000 bounty program. Before this, researchers were only allowed to submit proof-of-concept exploits that they had discovered as opposed to exploits they found.
“This makes it a…program that encourages incident responders, or anyone else who comes across something in the wild, to be the first to grab it and claim the prize,” blogged Wendy Nather, research director for 451 Research’s enterprise strategy group. “The original creator of a bypass not only has to make sure it evades detection by security technology; he has to protect it from his own confederates, or anyone else who knows about it and thinks $100,000 is pretty nifty.”
Related Podcast: The Story Behind Microsoft’s Bug Bounty Program
The latest announcement is an outgrowth of a rewards program for Windows security that Microsoft established in June. The Windows bounty was one of three programs the company created this summer to promote security; also established was a program to report vulnerabilities affecting the Internet Explorer 11 Preview as well as a reward for up to $50,000 for defensive ideas accompanying a qualifying mitigation bypass submission. The IE program is now closed, though the others remain open.
“Individual bugs are like arrows,” said Katie Moussouris, senior security strategist lead for Microsoft Trustworthy Computing, in a statement. “The stronger the shield, the less likely any individual bug or arrow can get through. Learning about ‘ways around the shield,’ or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of arrows as opposed to a single bug – hence, we are willing to pay $100,000 for these rare techniques.”
To participate in the expanded bounty program, organizations need to pre-register with Microsoft before turning in a submission. Once a person is registered and signs an agreement, Microsoft will accept any technical write-up and proof-of-concept code for consideration, Mourssouris noted.
“This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets,” she explained in a blog post. “Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.”
Related Podcast: The Story Behind Microsoft’s Bug Bounty Program