Tuesday, 8 October 2013

No Simple Bug Bounty: Microsoft Rewards "Novel Exploitation Techniques"

Blue Hat Say you're a software publisher with a global presence. A security hole in one of your products that lets bad guys steal private information or remotely control a victim PC could have far-reaching consequences. If someone discovered such a hole, you'd much prefer they tell you about it than sell the information on the cybercrime black market, right? "Bug bounty" programs aim to encourage this kind of sharing by rewarding those discovering security holes with cash, fame, or both, and they're more common than you may realize.
Bounties Abound
Yahoo's bug bounty program made news earlier this week. A group of Swiss researchers investigating the program started by hunting down three serious cross-site scripting bugs on Yahoo websites, security holes that could allow an attacker to take over a victim's Yahoo email account. (Finding those bugs took them about a day—scary!). After verifying the report, Yahoo offered $12.50 for each bug , redeemable for swag at the company store.
That reward seemed chintzy to many. The backlash from this report was significant enough that Yahoo announced a change, something they were already working on. The new bug bounty program will reward researchers who report a verified bug with cash, not swag, in an amount from $150 to $15,000, with the exact amount determined by a clear, predefined formula. The new program should be in place by the end of this month, but it's retroactive to July 1.
Think you've found a security hole that might be worth something? The bugcrowd website lists all current bug bounty programs, separating them into those that offer a reward, fame plus swag, just fame, or no reward. Click on the link for a given product or service to visit its reporting page.
Facebook, for example, offers a minimum bounty of $500, with no preset maximum. As of August, Facebook had paid out over a million dollars in such bounties..
Payouts from Google for verified bugs follow a well-defined table of values. These range from $100 for a common Web flaw on a low priority Google site to $20,000 for a remote code execution vulnerability in a highly sensitive service. In a nod to "leet-speak," some types come with a $1337 reward.
Microsoft Is Different[Note: I originally stated "Microsoft has paid researchers $100,000, sometimes more." In fact, Microsoft has not paid such a bounty yet, not since the Bluehat Prize. -njr]
Microsoft offers researchers $100,000, or even more, for work that enhances security, but it turns out the Microsoft program isn't precisely a bug bounty. Katie Moussouris, senior security strategist lead for Microsoft Trustworthy Computing, explained the difference.
"Microsoft's $100,000 Mitigation Bypass Bounty requires participants to submit truly novel exploitation techniques against our latest Windows platform," said Moussouris, "so that we can improve our platform-wide defenses. New exploitation techniques are more difficult to find than individual vulnerabilities and learning about them will help us protect customers against entire classes of attacks to improve security by leaps, rather than addressing one vulnerability at a time." She concluded, "We encourage researchers to read the guidelines of our bounty programs at www.microsoft.com/bountyprograms and send in their submissions to secure@microsoft.com."
A researcher who not only reports a new exploitation technique but also supplies ideas for defense may qualify for an additional $50,000 BlueHat Bonus. And remember, in 2012 Microsoft paid out over a quarter of a million to the winners of its BlueHat Prize contest.
It takes a lot of experience and a dollop of genius to qualify for Microsoft's reward. Security is often a cat-and-mouse game, ascriminals devise new attacks and defenders respond with new counters to those attacks. Coming up with new exploitation techniques (and defenses against them) before the bad guys do puts the defense in the lead. As a Windows user, I salute the recipients. Thanks, guys!

No comments:

Post a Comment