Battling against zero-day exploit black market, Microsoft expands $100,000 bug bounty

Microsoft expands its $100k Bug Bounty program, opens up mitigation bypass submissions to 'thousands' in order to 'disrupt the vulnerability and exploit markets.'

In the current zero-day exploit market, it's common to pay out six figures for a single exploit, and now Microsoft has thrown open the door and invited more security-minded individuals to compete for the $100,000 prize. Granted Microsoft words it differently than a pay-for-bugs plan, instead saying its bounty evolution plan, which was "designed to change the dynamics and the economics of the current vulnerability market," will pay for mitigation bypass techniques. But as Andrew Storms, director of DevOps at CloudPassage, pointed out, it's "very much riding the line of paying for zero-days."

"We are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild." Katie Moussouris, Microsoft senior security strategist lead, wrote on the BlueHat blog, "Now, both finders and discoverers can turn in new techniques for $100,000."

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

Microsoft believes that new mitigation bypass techniques are "much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug - hence, we are willing to pay $100,000 for these rare new techniques."

Yet however Microsoft chooses to word it, Storms said, "It sure does seem to boil down to a person or organization has gotten their hands on a new attack method and they turn it over to Microsoft for a payout. Although I guess you could say that they are paying for a technique instead of a payload."

Denying this new program is a bug bounty is "splitting hairs," according to Chris Wysopal, co-founder and CTO of Veracode. "It's only for mitigation bypasses; it's not just for any zero-day bug. They're not paying for a zero-day [vulnerability] in Windows XP, for example."

So how can you try for a piece of the exploit money pie? "To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we'll accept an entry of technical write-up and proof of concept code for bounty consideration."

The prequalification requirement before submitting could be "so that one black hat couldn't get paid for stealing from another black hat," said Wysopal. "They're trying to make sure that only white hat, legitimate incident responders, get the money."

In the end, Microsoft said that "evolving the bounty landscape" will benefit its customers. It could possibly give the government a heads up advantage as well, since Microsoft "provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix." Bloomberg reported that "information can be used to protect government computers and to access the computers of terrorists or military foes." However, "Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government 'an early start' on risk assessment and mitigation."

But nearly everyone seems to be in the market for zero-days; a report earlier this year claimed that the U.S. government is the biggest buyer of zero-day vulnerabilities. Even the NSA contracts with zero-day exploit vendors like the French firm Vupen Security. In fact, Professor Ross Anderson, of the University of Cambridge, previously told TechWeekEurope that "researchers are purposefully placing bugs in open source software during the development stages, so that when code appears in completed products, those same researchers can highlight the flaws and profit from them where companies are willing to pay."

When it comes to Microsoft changing its $100,000 bug bounty program to now include 'responders and forensic experts who find active attacks in the wild', "the idea is to reduce the amount of time that a new technique is useful for attackers." But you can expect more changes coming to the bounty program, since Moussouris told ThreatPost, "I have some other things up my sleeve."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022