2010 was a big year for vendor bug bounty programs. Google announced its program in January with a bounty of $1,337 for high severity security bugs in its Chrome browser. Then in July Mozilla sextupled its bounty to $3000 and the Google program went from “Leet” to “Elite” with an increase of its bounty to $3,133.70. Sensing a trend and a feeling that vendor bug bounties “had arrived” the Veracode research team made one of our 2011 Predictions that Microsoft would jump on the bandwagon too.
This is what we said in December 2010:
Following Google’s and Mozilla’s lead, more companies offer to pay researchers for reporting bugs to them. Microsoft, which stated years ago that they wouldn’t ever pay for bugs, caves to industry pressure as they are hit with more uncoordinated disclosures than their peers.
Alas, 2011 ended and there was no Microsoft bug bounty program in sight. Over 2011 and 2012 we saw more companies begin programs as Facebook, Paypal, and Etsy joined in. Microsoft had long resisted the idea of paying researchers for bugs but it is clear they were thinking about how to engage the research community with hard cash. In 2012, Microsoft introduced the BlueHat Prize for novel ideas to prevent the exploitation of memory corruption vulnerabilities. The contest seems to have been a success as the 3 prizes were handed out to 3 researchers who created ROP mitigation techniques. Here we are a year later and Microsoft is announcing a permanent program that both builds on the BlueHat Prize and adds a new spin on traditional bug bounty programs.
The first part of Microsoft’s new program is the Mitigation Bypass Bounty. Instead of finding individual bugs the bounty goes to novel techniques that bypass Microsoft’s exploitation mitigations like /GS, SafeSEH, DEP, and ASLR. For modern Windows apps the hard part of building workable exploits is bypassing mitigations not finding potentially exploitable coding errors. By offering a big bounty, $100,000, and rewarding research for the most challenging part of exploitation, Microsoft is incenting researchers to focus on improvements that can help the entire Windows platform. There is even an added bonus of $50,000 if a defense is proposed for the mitigation technique.
With the rise of sandboxes for apps and improvements in exploit mitigations in compilers and OSes we are seeing that mitigation bypasses are where all the real action is. By recognizing this Microsoft has built a better bounty program. By fixing mitigation bypass vulnerabilities Microsoft can help secure software written by other vendors for the Windows platform. So in a way this is a platform bug bounty program, not just a program for one vendor.
The second part of the program is also something new. Microsoft is opening up the finding of individual bugs to one product, Internet Explorer 11, and paying bounties only for a 30 day beta period. These payments are from a high of $11,000 for remote code execution down to $500 for an ASLR Info Disclosure vulnerability. By doing this during the Beta period Microsoft is incenting disclosing bugs before the product is in wide usage. This will presumably save themselves and their customers money by not needing to create and install patches after the initial product release. Researchers often gripe that they are performing QA for the vendor and they should get paid. A bug bounty program during beta makes this a reality.
The backdrop to any bug bounty program is the zero day vulnerability market where researchers sell to governments and potentially anyone with cash instead of informing the vendor, bounty or not. The growth of this market and its potential to grow more is part of the equation any vendor uses to decide whether or not to have a bounty program and what to set bounty values at.
I am a little surprised that it took Microsoft this long to create a bug bounty program. They seem to be jumping in with a 2nd generation bug bounty program putting the emphasis on exploitation and valuable mitigation techniques. On the open market these techniques could be used to build many zero day exploits and possibly command more than the Microsoft bounty so the open market is still the competition. I will be watching eagerly to see how many mitigation bypass bounties get claimed over the next year.
Bugcrowd has a nice list of bug bounty programs.