Senior security strategist at the Microsoft Security Response Center, Katie Moussouris, announced the extension in a blog post, confirming early attack spotters could be eligible for a payment of up to $100,000.
"We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can 'sing along' to earn big bounty payouts than ever before," read the post.
"[This] means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000."
Microsoft's bug bounty programme was originally announced in June but had far stricter payment criteria and would only reward the author of an exploit. This meant it was all but impossible for bug hunters to earn money for their spot if it was already being exploited by the blackhat community.
Moussouris said the new payment system will help Microsoft radically improve its defences, offering an added incentive for the whitehat community to report any attacks they spot.
"We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we'll pay for them even if they are currently being used in targeted attacks if the attack technique is new - because we want them dead or alive," read the post.
The news has been welcomed by the security community. Technical evangelist at WhiteHat Security, Robert Hansen, mirrored Moussouris' sentiment, arguing the move will make it far more difficult for blackhat hackers to target Microsoft products undetected.
"I think it will make a lot of waves amongst the community who has, thus far, paid exclusively on attributable vulnerabilities. It could even somewhat disrupt some of the blackhat markets, by encouraging blackhats to buy or find each other's vulnerabilities and sell them to Microsoft to reduce the competition. I just hope Microsoft is prepared for the onslaught of vulnerability reports they'll be receiving," he said.
Microsoft is one of many companies to use bug bounty programmes to help improve its products security. In October Google extended its Vulnerability Reward Program to pay bug hunters and security professionals up to $3,133 for security improvements to a number of open source projects.
No comments:
Post a Comment