After years of benefiting from the bug bounty programs of other companies, Microsoft is finally stepping into the bug bounty business itself by offering three new programs to encourage and compensate researchers who find vulnerabilities in the company's software.
The programs include a $100,000 payout for mitigation-bypass vulnerabilities uncovered in its software products, a $50,000 payout on top of this for a solution that will fix the vulnerability, and $11,000 for any bugs found in the preview release of its upcoming Internet Explorer 11 browser software.
"We think there's not a one-size-fits-all bounty program, so we're announcing three bounty programs," said Mike Reavey, director of Microsoft's Security Response Center.
"If you find a way to bypass one of our shields but you also have an idea how to plug the hole, we'll throw in an additional $50,000," he said, referring to the second program, which goes a step beyond what traditional bounty programs generally do.
Microsoft's move comes after years of being criticized for not compensating researchers for the hard work they do in finding and disclosing bugs, even though the company benefited greatly from the free work done by those who uncovered and disclosed security vulnerabilities in its software.
In 2009, Charlie Miller, a once-independent security researcher who now works for Twitter, launched a “No More Free Bugs” campaign with fellow security researchers Alex Sotirov and Dino Dai Zovi to protest freeloading vendors like Microsoft that weren’t willing to pay for the valuable service bug-hunters provided, and to call attention to the fact that researchers often got punished by vendors for trying to do a good deed.
Last year Microsoft security chief Mike Reavey defended the company's lack of a bug bounty program by saying that the company's BlueHat security program, which pays $50,000 and $250,000 to security pros who can devise defensive measures for specific kinds of attacks, was better than paying for bugs.
“I don’t think that filing and rewarding point issues is a long-term strategy to protect customers,” he told reporters at the time.
Reavey said the reason the company decided to launch bounty programs now was because the white-market bounty programs -- such as one sponsored by HP-Tipping Point's Zero Day Initiative -- have gaps in them and don't tend to produce vulnerabilities for the hardest-hitting issues such as mitigations-bypass vulnerabilities that affect Microsoft's built-in security features.
"These mitigation bypasses are the keys to a lot of successful attacks," Reavey said, "and we find out about those only through [annual bug] contests. [But] we don't want to wait for a contest. We want to get those as soon as possible, the earlier the better."
Mitigation bypass vulnerabilities are ones that allow an attacker to circumvent security features, such as sandboxes, that browser makers place in their software to thwart hackers.
"Any compelling attack is going to have to have a mitigation bypass because that's what we've been investing in for years [to secure Microsoft software]," Reavey said. "We think they're smart [bounty] programs, because they're going to get the most crucial issues in as early as possible."
The third bounty program, involving finding vulnerabilities in the pre-release of IE 11, is designed to fill another gap in standard bounty programs, which focus on finding vulnerabilities in products after they're released. Reavey said Microsoft wanted to reward researchers who found them before the software was released to the market and before they began affecting customers.
"That's really the best place to get the vulnerabilities [before the product goes to market], because you get it during the engineering phase of the product," he said.
While the first two bounties for bypass and mitigation vulnerabilities will run year-round, the IE 11 pre-release bounty will only run during the 30 days of the preview period for the software, beginning June 26. Reavey said the programs are open to researchers 14 and older, and the full rules for the programs (.pdf) are posted to the company's web site.
Vendor bounty programs have been around since 2004, when the Mozilla Foundation launched the first modern pay-for-bugs plan for its Firefox browser. (Netscape tried a bounty program in 1995, but the idea didn’t spread at that time.) Google, Facebook and PayPal have all launched bug bounty programs since then.
Google also has the Pwnium contest, a more recent addition to its year-round bug bounty programs, which launched in 2010. The contest is aimed at encouraging independent security researchers to find and report security vulnerabilities in Google’s Chrome browser and web properties.
In addition to vendor bounty programs, there are third-party white-hat bounty programs sponsored by security firms, which buy vulnerability information in software applications made by Microsoft, Adobe and others.
iDefense, which provides security intelligence services, launched a bounty program in 2002, but it’s long been overshadowed by the more prominent HP Tipping Point Zero Day Initiative (ZDI) bounty program, launched in 2005. The ZDO program is a year-round bounty program, but HP Tipping Point also sponsors the Pwn2Own exploit contest each year at the CanSecWest conference, which pays for exploits.
HP Tipping Point uses vulnerability information submitted by researchers to develop signatures for its intrusion prevention system. The company then passes the information to the affected vendor for free, such as Microsoft, so the software maker can create a patch. This means the software maker gets all the advantages of receiving bug reports, without having to pay for them.
Microsoft also benefited directly last year from a bug report that Google paid for, after the search giant generously doled out a $5,000 bounty to two researchers for a bug they uncovered in its rival's operating system.
Rates for paying researchers vary among the bounty programs and range from $500 to $60,000, depending on the vendor, the ubiquity of the product and the critical nature of the bug.
Mozilla pays between $500 and $3,000, and Facebook pays $500 per bug, though it will pay out more depending on the bug. The company has paid $5,000 and $10,000 for a few major bugs.
Google’s Chromium program pays between $500 and $1,333.70 for vulnerabilities found in Google’s Chrome browser, its underlying open source code or in Chrome plug-ins. Google’s web properties program, which focuses on vulnerabilities found in Google online services such as Gmail, YouTube.com, and Blogger.com, pays up to $20,000 for advanced bugs, and $10,000 for a SQL injection bug — the everyday workhorse of vulnerabilities. The company will pay more “if something awesome comes in,” Google's Chris Evans told Wired last year. “We’ve done that once or twice.” The company maintains a Hall of Fame page to give shout-outs to its bug hunters.
By contrast, Google’s Pwnium contest, which requires researchers to go beyond just finding a vulnerability and submit a working exploit to attack it. Google launched the program with a $1 million total purse — with individual awards paid at a rate of $20,000, $40,000 and $60,000 per exploit, depending on the type and severity of the bug being exploited. Last month, the company increased the total purse to $2 million.
In total, the Mozilla Foundation has paid out more than $750,000 since launching its bounty program; Google has paid out more than $1.7 million.
The ZDI bounty program has processed more than 1,000 vulnerabilities since it launched in 2005 and has paid more than $5.6 million to researchers. The program pays varying rates that change depending on the vulnerability.
Chris Wysopal, co-founder and CTO of Veracode, a firm involved in the testing and auditing of software code, told Wired last year that bug bounty programs are not only a way for companies to fix their software, but a way to maintain good relations with security researchers.
“What the bug bounty program is saying is, ‘I’m hoping that the community does the right thing with respect to vulnerabilities in my software, and I want to reward people for doing the right thing,’” Wysopal said. “So the existence of the bug bounty program gets beyond just ‘I’m trying to secure my applications.’ It’s also ‘I’m trying to have a good relationship with the research community.’”
Update 11:20 am PST: To reflect the most recent amount for Google's total payout to date.
