What comes to mind when I say the name “Pumpsie Green”? Nothing? OK. How about “Jackie Robinson”?
Yes. That second name you probably know. Jackie Robinson? The six-time all-star with a .311 career batting average? The mesmerizing hitter and fielder who played in six World Series over his ten-year career, including a 1955 World Series Championship with the Brooklyn Dodgers?
Right. Everyone knows who Jackie Robinson is and about the Dodgers’ historic decision to field him at first base on a day in April, 1947 – emphatically breaking an unofficial, eight decade-old ban on black players in Major League Baseball.
So what about that Pumpsie Green character? Well, he made history too. Green was the first black player on the last Major League Baseball team to integrate: my own Boston Red Sox, who called him up from the minor leagues on July 21, 1959 – more than twelve years after the Dodgers added Robinson to their lineup. Green, who will turn 80 this October, played for the Red Sox for three seasons and then one with the Mets before his career in the majors ended. He spent the rest of his life coaching high school baseball in Berkeley, California and teaching high school math.
Why am I talking about Pumpsie Green and about baseball? Well, because Microsoft on Wednesday announced that it has decided to start paying researchers for finding vulnerabilities in its software, and it struck me that the news is historic – but in a “Pumpsie Green” kind of way rather than a “Jackie Robinson” kind of way.
As with the Red Sox, Microsoft is a brand with a lot of clout. The company’s operating system still runs the vast, vast majority of computers on this planet. It’s Office suite of software is still the de-facto toolset for most office workers and its Internet Explorer is still the most-used Web browsing software on the Web. As with the Red Sox, almost any major change in the way Microsoft does business warrants attention and notice.
But I’m afraid that Microsoft’s decision to adopt a policy of paying for software vulnerabilities – like Green’s ascension to the Red Sox-- will be remembered more for its lateness than anything else. After all, bug bounty programs have been around for more than seven years. TippingPoint (now part of HP) introduced its Zero Day Initiative – the first of its kind – back in 2005 at the Black Hat Conference, almost eight years to the day before Microsoft will formally unveil its own.
Back in 2005, TippingPoint and ZDI was seen as a middle ground between two warring camps. On one side was the “full disclosure” crowd – mostly independent security researchers - who followed the “information wants to be free” mantra and argued that any information on software vulnerabilities should be made publically available – immediately. On the other side was the “responsible disclosure” group – mostly vendors (like Microsoft) who wanted researchers to keep their discovery secret, privately divulging it to the affected software vendor to fix – in due time.
Since then, however, the whole world has changed. The heat around “full” versus “responsible” disclosure now seems quaint: a relic of a time when it wasn’t obvious that anyone with a zero day of any importance would immediately shop for buyers among the world’s intelligence agencies, militaries, military contractors, security firms or (worse) cybercriminal groups.
Forward thinking companies long ago saw the way the wind was blowing and introduced their own vulnerability “bounty” programs. Today, leading brands like Google, Facebook, Paypal and The Mozilla Foundation all pay researchers who discover serious and exploitable security vulnerabilities in their products.
Even some less-well known brands have gotten into the act, like the crafts site Etsy.com and Mega, the online storage service launched by Internet bête noir Kim Dotcom. In fact, bounties have become something of a staple of the security community, with contests like Pwn2own and Pwnium drawing some of the world’s top talent for a chance to win prizes and cash – serious cash. Google put $3.14 million in potential prizes on the table for the most recent Pwnium contest in March.
All the while, Microsoft – whose software runs on more than 90 percent of the world’s computers – sat on the sidelines. The company took a principled stand on paying for vulnerabilities early on and stuck to it – doggedly. As recently as 2010, Jerry Bryant, the Lead Senior Security Program Manager at Microsoft, told Dennis Fisher at Threatpost.com that the company didn’t think “paying a per-vuln bounty is the best way” to recognize the work of vulnerability researchers “especially when across the researcher community the motivations aren’t always financial.”
Because since when is money a good way to recognize accomplishment, right?
In lieu of cash, Bryant told Threatpost, Microsoft “acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update” and hire researchers as employees or contractors. Woo hoo!
Microsoft might have been correct –at one time - in its belief that many vulnerability researchers had motivations other than financial reward. But there’s a big difference between turning down a $300 or $500 purse to play nice with Redmond and turning down $5,000 or even $50,000 or $100,000 payday to do so, as talented researchers would now be asked to do.
Microsoft got the message. It’s new bug bounty program will offer top dollar - $100,000 for “truly novel” exploitation techniques that defeat protections built into the very latest version of Windows, 8.1 Preview and $11,000 per bug bounty has been issued for exploitable vulnerabilities in the latest version of Internet Explorer, IE 11 Preview.
The company, pointedly, is not extending the program to cover the hundreds of millions of systems running legacy versions of its operating system and productivity software – the Windows Vista, Windows 7 and Windows 8 machines that are used widely in corporate and residential settings.
Theirs is a forward-looking program aimed at improving defenses in future releases. As such, it constitutes a kind of half step in the direction of a full bug bounty program. But in exempting almost all the production systems running Windows and IE, Microsoft has also guaranteed that the benefits of its bounty program won’t be realized for years.
Even if Microsoft does eventually institute a bounty program that covers all its supported products, I’m afraid that the company long ago missed its moment. As it has in other arenas, Microsoft failed in the organizational and strategic challenge of perceiving where the market for software security was going and positioning Microsoft be a leader, rather than a follower.
Like The Red Sox and Jackie Robinson, Microsoft’s bug bounty program is important because of what Microsoft is. But the company’s failure to read the writing on the wall eight- or even five years ago leaves the rest of us to wonder “what if?” What if0 the world’s most important and one of its wealthiest software firms put its weight and its check book to work early on, buying up vulnerabilities and the talent that discovered them before they fell into the wrong hands. What attacks may have been prevented? What shadowy cyber operations hamstrung? What data and intellectual property left undisturbed. As with the Red Sox and Jackie Robinson, we’re all stuck wondering “what if?”