Microsoft was late to the bug bounty party but the company’s program is now going gangbusters.
Bug bounty programs, which pay good money to researchers for finding software security flaws, date all the way back to the 1990s, when the first program was launched by web browser firm Netscape. Other software giants, such as Mozilla, Google, and Yahoo!, followed suit in the 2000s.
But Microsoft, despite being a leader in fixing software vulnerabilities with its monthly Patch Tuesday updates, didn’t launch a bug bounty program until 2013.
In that year, Microsoft launched a number of bug bounty programs – one for finding mitigation bypass vulnerabilities in its Windows platform, another for providing a defense against a Windows vulnerability, and a third to find flaws in its Internet Explorer 11 browser, which was still in development at the time.
The following year, Microsoft launched a bug bounty program for its Office 365 online services, and last year expanded that program to include its Azure cloud services. In addition, the Redmond-based company launched the Microsoft Edge Preview program that covered its new Windows 10 Edge web browser, then in development.
In October last year, Microsoft launched a bug bounty program for its .NET web development framework, including the public technical preview of ASP.NET. And just this month, Microsoft unveiled the successor to that program to beta builds of the .NET Core and ASP.NET Core RC2 frameworks, which runs through September of this year.
A couple of months ago, Microsoft launched the Nano Server technical preview bounty program, which runs through July 27, 2016. The Nano Server, an installation option in Windows Server 2016, is a remotely administered server operating system for data centers and private clouds. “This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft,” explained Jason Shirk, senior director of the Microsoft Security Response Center, in a blog post.
The bug bounties for these various programs range from only $500 up to $100,000 for a “truly novel exploitation techniques against protections built into the latest version” of Windows, Microsoft explained.
The Microsoft bug bounty program has inspired many security researchers to find security holes in its products. For example, in this most recent Patch Tuesday update, Chinese researcher Yang Yu was awarded $50,000 for uncovering an elevation of privilege vulnerability in every version of Windows since Windows 95. Left unpatched, the security flaw could enable an attacker to bypass a network firewall and steal network traffic or spoof a network print or file server, Yu told Threatpost.
And last month, independent security researcher Kieran Claessens said that the bug bounty program inspired him to discover a vulnerability in Microsoft's education subdomain that could give an attacker remote access to the site.
Claessens was able to find the vulnerability in an image uploader in an editor to build a course page on the site. He informed Microsoft, which issued a patch to fix it. “I did not receive any bounty for this, as it was out of scope, but I did get a notification on the Microsoft security researcher acknowledgment page for April,” he observed.
While Microsoft has found religion about bug bounty programs and white hat hacking in general, not all large software vendors agree that paying researchers to hack their software is the best use of their money. For example, enterprise software giant Oracle does not offer a bounty for bugs. In fact, Oracle Chief Security Officer Mary Anne Davidson thinks white hat hackers are a bunch of “security weenies.”
In a 2015 blog post, Davidson accused security researchers of causing unnecessary “mass panics” by disclosing certain less than critical vulnerabilities with catching names, such as POODLE and Shellshock.
She followed that with another blog warning customers who looked for security vulnerabilities in Oracle’s software that they were violating their software licensing agreement (and implicitly facing a lawsuit). That blog was so controversial it was pulled by Oracle shortly after it hit the web.
In that blog post (retained by Seclists.org), Davidson wrote: “Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure.”
She continued: “Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers….why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is ‘whack a code mole’) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues.”
So who is right? The vendors who offer bug bounties or those who don’t? In a study released this month, Bugcrowd, which runs bug bounty programs on behalf of smaller software vendors, found that bug bounty programs appear to be succeeding. For its second annual bug bounty study (email signup required), Bugcrowd looked at bug bounty programs running from Jan. 1, 2013, to March 31, 2016. According to the study, bug bounty programs are turning up more serious vulnerabilities and companies are paying out more money for bugs, with the average payout increasing 47 percent from last year’s report.
Of course, Bugcrowd has an economic incentive to highlight the effectiveness of bug bounty programs. Still, the company offers one of the few comprehensive looks at programs across vendors and has comparable annual data.
So it appears that more vendors are choosing bug bounty programs and paying more to researchers because the programs work. But as Microsoft’s Shirk observed, these programs need to be part of a comprehensive strategy by vendors to find and fix security vulnerabilities, whether in-house or with the aid of outside security researchers.
Photo credit: wongo888