Slashdot Mirror
Microsoft Launches $100k Bug Bounty Program
Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."
How much does the NSA then pay for the bugs? ;-)
Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now. At least now the researchers discovering the bugs have an incentive to sell to microsoft and get the bug fixed instead of selling it to the highest bidder who will probably use it to create either "private"-malware or government-malware. Thank you m$
There could be an influx of bug reports, I guess all those zero days waiting in the wings for a buyer, they might be cashed in, which is the whole point of this program, so the question is why did it take 15 years to arrive?
Now's the time to put up or shut up!
Slashdotters shut up about Windows? Also unthinkable.
Bank offer is $100K, do you take it or risk losing it to someone else while you figure out a "defensive technique" and collect the extra $50K?
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
1) Pay for exploits up to 100,000
2) Sell exploits to NSA for up to 200,000, guaranteed unpatched for x days
3) Patch exploit; forcing NSA to buy more exploits
4) Repeat steps
5) Profit!
This is old news! I have been getting rich forwarding emails from Microsoft's Email Beta Test program for years now.
That check should be showing up any day now...
-- You are in a maze of little, twisty passages, all different... --
So up to a short time ago people did this for free? But now they are worth 100K a pop?
Troll is not a replacement for I disagree.
Not likely. It's an "up to" meaning "not more than." Any amount less than $100,001 is in compliance with that policy.
I kind of agree.
However there are some things that will make this nearly impossible to claim even if you manage to find something.
It needs to be new, which means something they didn't know about.
However, they don't need to tell anyone when they learn about something new, which opens a perfect hole for them to say "Oh that one, we knew about that one" even if they didn't.
The line "a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows" is also important. Because if gives them another way out of paying for it. "Oh you are using Windows 8 with security patch 8.12.235321, but we are about to release security patch 8.12.235322 which has already fixed that - so you weren't on the latest version."
These are old tricks, which I have seen used by companies for other things where there is supposedly a reward.
Update: the going price for an exploit in XP is $5 in Xbox Live credit, lol.
May as well make it look like NSA is not paying millions per sploit.
You are being MICROattacked, from various angles, in a SOFT manner.
will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."
In this style: http://technet.microsoft.com/en-us/security/bulletin/ms12-020
Bug no.: 54321
Severity: Critical
FAQ: Allows privilege escalation
Mitigating factors:
1. There are only 3 genuine users of the latest version of our operating system
2. We care a damn about affected earlier versions since those lousy bastards need to upgrade anyway
So it is a bug yes, latest version affected yes, but Bounty for you? No!!
If you keep throwing chairs, one day you'll break windows....
Dear Microsoft,
I have found a terrible bug in windows 8. I don't know how it got through testing, but the start button and its menu is missing. It isn't actually letting adversaries *in* to the system but it is letting an awful lot of users *out* of the system. So I'm hopeful that you can stretch the definition of "security bugs" to cover "financial security of Microsoft bugs" and get a check headed my way.
Can't get people to buy your latest piece of software?
Simply offering a generous bug bounty may be enough to convince technologists to buy and use your software.
While the cost of the program is likely greater than the related sales, said technologists will become accustomed to your new software and push it on to their families, their friends, their neighbours, their customers and their workplaces. Genius marketing is genius.
[Rent This Space]
capable of bypassing the latest existing mitigations in the newest version of Windows
So if someone finds a juicy exploit in Windows 7, then his only potential choices are (a) a pat on the back from Balmer, or (b) sell it to the bad guys?
If that's the case then you can immediately publish a working exploit as soon as they say they already know about it : ) I think they'd lose that fight, lol
http://soylentnews.org/~tibman
Does "up to" include negative numbers?
Comment removed based on user account deletion
Apples, meet Oranges.
Comment removed based on user account deletion
Hardware is much more easily validated, and usually much less easily updated after the fact. And that is just the way it is. Anyone even basically familiar with both would know this.
Comment removed based on user account deletion