Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Microsoft Bug The Almighty Buck

Microsoft Launches $100k Bug Bounty Program 68

Posted by samzenpus from the bug-hunt dept.
Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."
This discussion has been archived. No new comments can be posted.

Microsoft Launches $100k Bug Bounty Program More

Microsoft Launches $100k Bug Bounty Program

Comments Filter:

  • Question? (Score:1)

    by Anonymous Coward

    How much does the NSA then pay for the bugs? ;-)

    • How much does the NSA then pay for the bugs? ;-)

      Doesn't matter, they have 300 million pin numbers to choose from?

    • Re: (Score:1)

      by Guppy06 ( 410832 )

      The NSA pays Microsoft $200k to implement the "bug "to begin with, so they're still making a net profit.

  • Finally (Score:5, Insightful)

    by Max DollarCash ( 2874161 ) on Wednesday June 19, 2013 @06:22PM (#44055481)
    Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now. At least now the researchers discovering the bugs have an incentive to sell to microsoft and get the bug fixed instead of selling it to the highest bidder who will probably use it to create either "private"-malware or government-malware. Thank you m$
    • Can the MS devs apply to the program for some *very* recent bugs?
    • Not only that, its incentive for other people, who may have access to an unknown zero day to disclose that information to MS for the bounty.

    • Re: (Score:1)

      by Anonymous Coward

      http://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

      I'm guessing they just give you part of what they get from the NSA now.

    • Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now.

      they couldn't afford a bounty like this until Windows 7 was SP'd...

  • There could be an influx of bug reports, I guess all those zero days waiting in the wings for a buyer, they might be cashed in, which is the whole point of this program, so the question is why did it take 15 years to arrive?

  • Exploit circle (Score:2, Informative)

    by Anonymous Coward

    1) Pay for exploits up to 100,000
    2) Sell exploits to NSA for up to 200,000, guaranteed unpatched for x days
    3) Patch exploit; forcing NSA to buy more exploits
    4) Repeat steps
    5) Profit!

  • So up to a short time ago people did this for free? But now they are worth 100K a pop?

    • Because there has been a body of very effective bug finders who find bugs for profit.

    • Re: (Score:1)

      by mjwx ( 966435 )

      So up to a short time ago people did this for free? But now they are worth 100K a pop?

      Actually it's a $100,000 program, not $100,000 a bug. With the volume of bugs in Windows they will probably be broke in a week offering $5 a pop.

  • Update: the going price for an exploit in XP is $5 in Xbox Live credit, lol.

  • will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

    In this style: http://technet.microsoft.com/en-us/security/bulletin/ms12-020 [microsoft.com]

    Bug no.: 54321
    Severity: Critical
    FAQ: Allows privilege escalation
    Mitigating factors:

    1. There are only 3 genuine users of the latest version of our operating system

    2. We care a damn about affected earlier versions since those lousy bastards need to upgrade anyway

    So it is a bug yes,

  • First bounty (Score:1)

    by Anonymous Coward

    Dear Microsoft,
        I have found a terrible bug in windows 8. I don't know how it got through testing, but the start button and its menu is missing. It isn't actually letting adversaries *in* to the system but it is letting an awful lot of users *out* of the system. So I'm hopeful that you can stretch the definition of "security bugs" to cover "financial security of Microsoft bugs" and get a check headed my way.

  • Can't get people to buy your latest piece of software?
    Simply offering a generous bug bounty may be enough to convince technologists to buy and use your software.
    While the cost of the program is likely greater than the related sales, said technologists will become accustomed to your new software and push it on to their families, their friends, their neighbours, their customers and their workplaces. Genius marketing is genius.

  • capable of bypassing the latest existing mitigations in the newest version of Windows

    So if someone finds a juicy exploit in Windows 7, then his only potential choices are (a) a pat on the back from Balmer, or (b) sell it to the bad guys?

  • Comment removed based on user account deletion

Slashdot Top Deals

Know Thy User.

Close