Microsoft Launches $100k Bug Bounty Program

Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

Question?

How much does the NSA then pay for the bugs? ;-)

Re:Question?

[TapeCutter]

How much does the NSA then pay for the bugs? ;-)

Doesn't matter, they have 300 million pin numbers to choose from?

Re:Question?

[Guppy06]

The NSA pays Microsoft $200k to implement the "bug "to begin with, so they're still making a net profit.

Bugs in Windows? Unthinkable!

[linear+a]

Bugs? In Windows? I'm gonna be rich!

Re:Bugs in Windows? Unthinkable!

Now's the time to put up or shut up!

Re:Bugs in Windows? Unthinkable!

[linear+a]

Slashdotters shut up about Windows? Also unthinkable.

Re:Bugs in Windows? Unthinkable!

[ackthpt]

Bugs? In Windows? I'm gonna be rich!

They're gonna be bankrupt.

Re:Bugs in Windows? Unthinkable!

[Mister+Transistor]

This is old news! I have been getting rich forwarding emails from Microsoft's Email Beta Test program for years now.

That check should be showing up any day now...

Re:Bugs in Windows? Unthinkable!

[__aaltlg1547]

Not likely. It's an "up to" meaning "not more than." Any amount less than $100,001 is in compliance with that policy.

Re:Bugs in Windows? Unthinkable!

[Bremic]

I kind of agree.

However there are some things that will make this nearly impossible to claim even if you manage to find something.

It needs to be new, which means something they didn't know about.
However, they don't need to tell anyone when they learn about something new, which opens a perfect hole for them to say "Oh that one, we knew about that one" even if they didn't.

The line "a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows" is also important. Because if gives them another way out of paying for it. "Oh you are using Windows 8 with security patch 8.12.235321, but we are about to release security patch 8.12.235322 which has already fixed that - so you weren't on the latest version."

These are old tricks, which I have seen used by companies for other things where there is supposedly a reward.

Re:Bugs in Windows? Unthinkable!

[SpaceLifeForm]

May as well make it look like NSA is not paying millions per sploit.

Re:Bugs in Windows? Unthinkable!

[tibman]

If that's the case then you can immediately publish a working exploit as soon as they say they already know about it : ) I think they'd lose that fight, lol

Re:Bugs in Windows? Unthinkable!

last week i had a new w 8 rt hit my bench it was in lockout i recovered the doc folder with all files readable.made admin desktop and was in give me my money!

Finally

[MaxDollarCash]

Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now. At least now the researchers discovering the bugs have an incentive to sell to microsoft and get the bug fixed instead of selling it to the highest bidder who will probably use it to create either "private"-malware or government-malware. Thank you m$

Re:Finally

[linear+a]

Can the MS devs apply to the program for some *very* recent bugs?

Re:Finally

[hilather]

Not only that, its incentive for other people, who may have access to an unknown zero day to disclose that information to MS for the bounty.

Re:Finally

Just be sure you don't submit the bug report until after the patch with your deliberately-added bug is released.

(If you were not implying that an MS dev might deliberately introduce bugs in order to cash in on this program, please ignore this post.)

Re:Finally

http://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

I'm guessing they just give you part of what they get from the NSA now.

Re:Finally

[drinkypoo]

Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now.

they couldn't afford a bounty like this until Windows 7 was SP'd...

Lets hope they have deep pockets

[mrspoonsi]

There could be an influx of bug reports, I guess all those zero days waiting in the wings for a buyer, they might be cashed in, which is the whole point of this program, so the question is why did it take 15 years to arrive?

Re:Lets hope they have deep pockets

Lets hope they have deep pockets

err, it's Microsoft. They are the king of deep pocket spending to achieve a goal.

Metro

Metro. Eagerly awaiting my check for $100k.

Breaking News: Microsoft goes bankrupt.

After just one hour since they announced they "100k per bug" program, over 4 million bugs unique bugs were reported. When looking for comment, Steve Ballmer was seen parasailing into the sunset on his golden parachute.

Re:Breaking News: Microsoft goes bankrupt.

Please note the weasel words "up to" which of course includes 0. How many do you think they will actually pay for?

Re:Breaking News: Microsoft goes bankrupt.

[linear+a]

Does "up to" include negative numbers?

Deal or no deal

[TapeCutter]

Bank offer is $100K, do you take it or risk losing it to someone else while you figure out a "defensive technique" and collect the extra $50K?

Rich

[Frankie70]

Now all those slashdotters who keep insisting that Windows is ridden with security bugs (like they were in the early 2000s) have an opportunity to put up or shut up.

Re: Rich

Disregarding the Russian zero day exploit forums, according to Secunia Windows 7 (win 8 is still too young and has only 42 warnings) is ridden by 142 advisories and 294 Vulnerabilities. At least 5% are still not fixed and are highly critically (endangering. Red alert).

Windows and security was and will always be an oxymoron.

Re:Rich

Why did you even say this?

Why didn't you post it anon at least?

Exploit circle

1) Pay for exploits up to 100,000
2) Sell exploits to NSA for up to 200,000, guaranteed unpatched for x days
3) Patch exploit; forcing NSA to buy more exploits
4) Repeat steps
5) Profit!

Why so much?

[wisnoskij]

So up to a short time ago people did this for free? But now they are worth 100K a pop?

Re:Why so much?

[__aaltlg1547]

Because there has been a body of very effective bug finders who find bugs for profit.

Re:Why so much?

[mjwx]

So up to a short time ago people did this for free? But now they are worth 100K a pop?

Actually it's a $100,000 program, not $100,000 a bug. With the volume of bugs in Windows they will probably be broke in a week offering $5 a pop.

What about XP?

[slashmydots]

Update: the going price for an exploit in XP is $5 in Xbox Live credit, lol.

I just quit my day job

time to go hunt me some bugs

Re:I just quit my day job

[Z00L00K]

No problem - Windows itself is a bug.

What about async/await?

[elabs]

He seems to only be comparing the API that Java and C# have in common. C# has gone way beyond java with async/await, true generics, properties, dynamic objects, the var keyword, and many more features. Sure, they are comparable languages if you just use the subset of C# that maps to Java.

Re:What about async/await?

Wrong topic!

Re:What about async/await?

Wrong topic, butttttt.....

Have you ever tried to run a recent C# application in mono?

I agree with your statement, generally... Java and C# are comparable in their respective comparable areas.

It's just that as far as i'm concerned the relative lack of support under linux (let alone anything else, and no i'm not fucking running windowsCE on an embedded device thanks) makes this a no brainer.

Count me in!

[elabs]

I've always wanted to be a part of one of these. I have no hacker skills but I can spot bugs.

Bug no. 54321: Mitigating factors...

[jkrise]

will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

In this style: http://technet.microsoft.com/en-us/security/bulletin/ms12-020

Bug no.: 54321
Severity: Critical
FAQ: Allows privilege escalation
Mitigating factors:

1. There are only 3 genuine users of the latest version of our operating system

2. We care a damn about affected earlier versions since those lousy bastards need to upgrade anyway

So it is a bug yes, latest version affected yes, but Bounty for you? No!!

How much of that is NSA money?

https://www.openrightsgroup.org/blog/2013/nsa-affects-responsible-disclosure

At least from now on, the only responsible disclosure is full disclosure.

This is clearly an economically sound decision

I think that by making this decision, Microsoft is clearly slapping the 'slashdot crowd' in the face. Real Hard. They are fucking sick of your hater bullshit. I am with them, personally. They have sound product that has stood the test of time. Fuck you and your slashdot elitist crap. I DARE you to break windows.

I'm fully in support of this. They have the resources and knowledge to fix this from the root up. Just tell them what they did wrong, and they'll fix it. Hate them? too bad... just say whats wrong, and let them please let them fix the world? The rest of them have to deal with Windows... help them live through the pain.

Thanks,
Me

Re:This is clearly an economically sound decision

What? No, really, what?

Have you ever seen a skid with a botnet? I have, and I have seen quite a few of them.

How do you think these little amateur botnets are created? Spoilers: it's because Windows in all of its incarnations have vulns that skids can exploit without even knowing what TCP means.

Just because you haven't seen the problem first-hand does not mean that it does not exist.

ONE! huge fix Microsoft!.

Microsoft could have secured the operating system with this steps: At install point, require an Admin password to be set, next, Make the Admin account useless for other use than administrative tasks (including installing software). Then, make a user account with low privileges for regular use.

I have been working as a techie for many years, and most of the problems i have encountered could have avoided if the user was required to log in to the admin account to install crapware.

First bounty

Dear Microsoft,
    I have found a terrible bug in windows 8. I don't know how it got through testing, but the start button and its menu is missing. It isn't actually letting adversaries *in* to the system but it is letting an awful lot of users *out* of the system. So I'm hopeful that you can stretch the definition of "security bugs" to cover "financial security of Microsoft bugs" and get a check headed my way.

Genius Marketing

[Aaron+B+Lingwood]

Can't get people to buy your latest piece of software?
Simply offering a generous bug bounty may be enough to convince technologists to buy and use your software.
While the cost of the program is likely greater than the related sales, said technologists will become accustomed to your new software and push it on to their families, their friends, their neighbours, their customers and their workplaces. Genius marketing is genius.

So Windows 7 and XP users are SOL?

[Bearhouse]

capable of bypassing the latest existing mitigations in the newest version of Windows

So if someone finds a juicy exploit in Windows 7, then his only potential choices are (a) a pat on the back from Balmer, or (b) sell it to the bad guys?

Pay me $100k to use Windows 8

You'd have to pay me $100k to just use Windows 8, let alone find a bug

Metro....

The biggest bug is the UI, could someone start a kickstarter to raise funds to pay a bunch of developers to fix that one?

Re:Right.....

you: "I found a bug that allows an attacker to compromise the system. Here is a write up of a proof of concept of the bug and a demo of the compromise." microsoft: "that's not a bug, that a feature."

Hacky McHacker: "Then you'll welcome the publicity when I demonstrate that feature. Cheerio!"

microsoft: "Lets not be too hasty mister McHacker..."

Comment removed

[account_deleted]

Comment removed based on user account deletion

My guess....

The NSA needs better exploits.
What better way than to get Micro$oft to pay for them before sharing!
Just saying...

Re:CPU companies don't use "bounties" why does SW?

[RightSaidFred99]

Apples, meet Oranges.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:CPU companies don't use "bounties" why does SW?

[RightSaidFred99]

Hardware is much more easily validated, and usually much less easily updated after the fact. And that is just the way it is. Anyone even basically familiar with both would know this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:CPU companies don't use "bounties" why does SW?

It's easier to validate a CPU (even the most high end of CPUs) than it is to validate an operating system and every service and application that comes with it including drivers and other software that will _later_ run on it for every possible security, functional, or nonfunctional flaw.

Don't be a fucking idiot.

This is a trick

To get a few more Windows 8 sales