Microsoft’s Security Bounty Program

Microsoft has revealed details on its new bounty program for security research. Unlike a typical bounty program that just pays a researcher for finding a specific vulnerability, Microsoft is offering rewards for a broader range of attacks on mitigation techniques.

  1. Mitigation Bypass Bounty. Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would. TIMEFRAME: ONGOING
  2. BlueHat Bonus for Defense. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide.TIMEFRAME: ONGOING (in conjunction with the Mitigation Bypass Bounty).

As you can see the focus isn’t about specific vulnerabilities, it’s about hardening mitigation techniques to prevent entire classes of vulnerabilities. A mitigation technique, such as DEP, prevents direct code execution. Another technique, ASLR, makes bypassing DEP more difficult by preventing Return Oriented Programming.

Flaws in these techniques can lead to bypasses, and these bypasses can be used across vulnerabilities, and therefor have a much larger impact.

Microsoft has done this before. In the past their rewards program has led to a series of new “Anti-ROP” techniques in the EMET program. Improving and adding to these techniques drives up the cost of every exploit.

Microsoft is also paying out for Internet Explorer 11 vulnerabilities:

  1. Internet Explorer 11 Preview Bug Bounty. 
    Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview). The entry period for this program will be the first 30 days of the Internet Explorer 11 beta period (June 26 to July 26, 2013). Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure. TIMEFRAME: 30 DAYS

IE11 is available on the Windows 8.1 Preview, and Microsoft is hoping that researchers can help break into it so they can gauge security. While solving individual vulnerabilities does not exactly add much to security, it does help developers behind IE11 see where attackers will go. If I were an IE11 developer, and I got a response from a dozen developers showing that they could break into my program through the Javascript Renderer, I’d know that I needed to really focus on securing that component, because it’s likely the easiest spot to attack. So while those patches themselves may not be making the program much more secure, the knowledge I gain from viewing trends will.

I’d like to see more bounty programs like this, but Microsoft is in the best position for it – a browser can’t always do much about mitigation techniques, as they have more to do with the operating system and compilers. I think a lot of good will come from this program.