Forgot your password?
typodupeerror
Microsoft Bug The Almighty Buck

Microsoft Launches $100k Bug Bounty Program 68

Posted by samzenpus
from the bug-hunt dept.
Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."
This discussion has been archived. No new comments can be posted.

Microsoft Launches $100k Bug Bounty Program

Comments Filter:
  • by Anonymous Coward

    How much does the NSA then pay for the bugs? ;-)

    • How much does the NSA then pay for the bugs? ;-)

      Doesn't matter, they have 300 million pin numbers to choose from?

    • by Guppy06 (410832)

      The NSA pays Microsoft $200k to implement the "bug "to begin with, so they're still making a net profit.

  • Finally (Score:5, Insightful)

    by Max DollarCash (2874161) on Wednesday June 19, 2013 @07:22PM (#44055481)
    Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now. At least now the researchers discovering the bugs have an incentive to sell to microsoft and get the bug fixed instead of selling it to the highest bidder who will probably use it to create either "private"-malware or government-malware. Thank you m$
    • by linear a (584575)
      Can the MS devs apply to the program for some *very* recent bugs?
    • by hilather (1079603)
      Not only that, its incentive for other people, who may have access to an unknown zero day to disclose that information to MS for the bounty.
      • Bank offer is $100K, do you take it or risk losing it to someone else while you figure out a "defensive technique" and collect the extra $50K?
    • by Anonymous Coward

      http://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

      I'm guessing they just give you part of what they get from the NSA now.

    • by drinkypoo (153816)

      Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now.

      they couldn't afford a bounty like this until Windows 7 was SP'd...

  • There could be an influx of bug reports, I guess all those zero days waiting in the wings for a buyer, they might be cashed in, which is the whole point of this program, so the question is why did it take 15 years to arrive?
  • Exploit circle (Score:2, Informative)

    by Anonymous Coward

    1) Pay for exploits up to 100,000
    2) Sell exploits to NSA for up to 200,000, guaranteed unpatched for x days
    3) Patch exploit; forcing NSA to buy more exploits
    4) Repeat steps
    5) Profit!

  • So up to a short time ago people did this for free? But now they are worth 100K a pop?

    • by Shavano (2541114)
      Because there has been a body of very effective bug finders who find bugs for profit.
    • by mjwx (966435)

      So up to a short time ago people did this for free? But now they are worth 100K a pop?

      Actually it's a $100,000 program, not $100,000 a bug. With the volume of bugs in Windows they will probably be broke in a week offering $5 a pop.

  • Update: the going price for an exploit in XP is $5 in Xbox Live credit, lol.
  • will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

    In this style: http://technet.microsoft.com/en-us/security/bulletin/ms12-020 [microsoft.com]

    Bug no.: 54321
    Severity: Critical
    FAQ: Allows privilege escalation
    Mitigating factors:

    1. There are only 3 genuine users of the latest version of our operating system

    2. We care a damn about affected earlier versions since those lousy bastards need to upgrade anyway

    So it is a bug yes,

  • by Anonymous Coward

    Dear Microsoft,
        I have found a terrible bug in windows 8. I don't know how it got through testing, but the start button and its menu is missing. It isn't actually letting adversaries *in* to the system but it is letting an awful lot of users *out* of the system. So I'm hopeful that you can stretch the definition of "security bugs" to cover "financial security of Microsoft bugs" and get a check headed my way.

  • Can't get people to buy your latest piece of software?
    Simply offering a generous bug bounty may be enough to convince technologists to buy and use your software.
    While the cost of the program is likely greater than the related sales, said technologists will become accustomed to your new software and push it on to their families, their friends, their neighbours, their customers and their workplaces. Genius marketing is genius.
  • capable of bypassing the latest existing mitigations in the newest version of Windows

    So if someone finds a juicy exploit in Windows 7, then his only potential choices are (a) a pat on the back from Balmer, or (b) sell it to the bad guys?

  • As a former validation and verification engineer/manager I find it to be obscene that these big institutions get work performed in V&V for next to nothing (and poorly at that). My team, at a large semiconductor company, comprised of 10 engineers to perform pre-silicon and board-set validation, and subsequently verification. And we were an augment to the designers, and other "silicon" teams, that were doing their own V&V, and "BIOS/EFI" and OS groups doing there own.

    The result: perfection on both S

    • Apples, meet Oranges.
      • Wrong. SW companies do it because they can get away with it, and people believe "that's just the way it is". Yes it is... sloppy work on the part of SW

        • Hardware is much more easily validated, and usually much less easily updated after the fact. And that is just the way it is. Anyone even basically familiar with both would know this.
          • You obviously have NO idea what the hell you are talking about.

            My 10 years in silicon and board-set validation has all the validation requirements of SW (chips are coded in languages too even 'C' sometimes), and another dozen+ layers of validation and verification to deal with electrical characteristics, material sciences, environmental, mfg process, and more layers than I care to list. This not only involves test software but all to often test hardware that is used for the very first time (which also need

Wernher von Braun settled for a V-2 when he coulda had a V-8.

Working...