Microsoft’s new programs attract ‘bounty hunters’ who help make safer products

As long as people write code, it’s going to be imperfect. That’s where the class of security researchers colloquially known as “bug hunters” come in, and Microsoft is paying them up to $100,000 via several new bounty programs to catch vulnerabilities, discover techniques that can get past a program’s defenses and even recommend repairs for problems.

“It’s my job to think of new programs to work with the hacker community so we can help protect our customers,” says Katie Moussouris, head of security community and strategy for the Microsoft Security Response Center, and self-dubbed “hacker whisperer.”

Some of the ideas coming from Moussouris and her team are new bounty programs to attract security researchers and hackers who can find bugs in applications and identify the techniques that sneak by defenses built into Windows – and to reward them for that valuable information while a product is still in the beta phase, so it can be fixed before the public uses it.

The Internet Explorer 11 Preview Bounty closed on July 26 after being open for 30 days, since the public release of Internet Explorer 11 Preview at the Microsoft Build Developer Conference in San Francisco. That program focused on reporting bugs and paid out amounts from $500 to $11,000 based on the complexity of the vulnerability and the amount of detail the finders were able to provide to the judging team in charge of evaluating each bug. Moussouris says they received more than 20 submissions for the IE11-specific program.

Two other programs, the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense, are ongoing, ready to pay out up to $100,000 for a truly novel exploitation technique that kneecaps protective systems built into the latest publicly available version of the operating system (Windows 8.1 Preview, also released at Build), and up to a $50,000 bonus for effective defenses against those exploitation techniques. There have been no submissions for these programs yet, but that’s not surprising, Moussouris says, since the number of researchers capable of finding those types of issues number fewer than 1,000 worldwide. The high payouts reflect the high value of mitigation bypasses: While vulnerabilities are one-shot deals and fixed quickly, attackers can use bypass techniques against multiple vulnerabilities. The bounty program wants to yank those powerful techniques out of those attackers’ hands.

Luckily, some may emerge at the Black Hat conference this week in Las Vegas, which will host Live Mitigation Bypass Bounty judging Wednesday and Thursday at the Microsoft booth.

James Forshaw, 35, of London, is one IE11 Preview bounty recipient who has been notified and awarded $1,100 for focusing on bugs that allow for remote control over someone’s machine.

But don’t call Forshaw a hacker, please.

“I probably consider myself more of a tinkerer,” says Forshaw, who is head of vulnerability research at Context Information Security and a former software engineer. “If you say you’re a hacker, you’re bad in some form. If you’re a hacker, the connotation is that you’re an evil hacker who wants to take over systems.” Forshaw prefers to be known as a professional security researcher or consultant.

But, he does admit that it’s his job “to break stuff,” and when he talks, you can hear the enthusiasm that must have swept over him when he encountered a “computer” for the first time, when his dad brought an Atari 800 into their house. (His initial forays into security involved games consoles.)

Forshaw is a fan of these bounty programs because it’s a great way to expand not only his professional reputation, but also his company’s. It shows they’re capable of doing this work and making sure their customers are secure, especially since so many of their customers use Microsoft products. His biggest bounty so far has been $20,000, received at the 2013 Pwn2Own contest held at the CanSecWest security conference.

Moussouris said Forshaw is a familiar face in the security research community. “He’s like one of those guys who sees the code when he looks around, like he’s in ‘The Matrix.’”

While Forshaw is a veteran of bounty programs, Moussouris says the Microsoft programs are a great opportunity to reach bug finders who would normally wait until a product was past the preview phase to sell what they found to “white market” brokers, who then sell services to protect against such bugs until Microsoft is able to fix them. The gap, she says, is in the beta phase of products, during which there are no third-party brokers buying (since beta code is by definition subject to change, making the bugs a poor investment for the protection services). These programs create an incentive for the security researchers to reveal what they know sooner, and directly to Microsoft.

“We’re trying to create an alternative channel for researchers to be rewarded for research that they do,” says one of the program’s judges, Matt Miller. “We believe there is a good body of researchers out there.”

You might also be interested in:

Athima Chansanchai
Microsoft News Center Staff

Comments (0)