Microsoft tacks up first wanted poster, debuts temp bounty for IE11 bugs
Better late to the party than never, say security experts
Computerworld - Microsoft on Wednesday backpedaled from a long-standing refusal to pay bug bounties when it announced a temporary program for the beta of Internet Explorer 11 (IE11).
The Internet Explorer 11 Preview Bug Bounty will start June 26, the day the browser launches alongside Windows 8.1 at the BUILD developer conference, and will run until July 26. During the 30 days, Microsoft will pay researchers up to $11,000 for each vulnerability they find and report to the company.
Microsoft has repeatedly rejected the idea of joining rivals, such as Google and Mozilla, in paying for bugs. In 2011, the company insisted a just-announced contest was a better use of its money than paying for bugs one by one.
Also yesterday, Microsoft expanded that 2011 contest -- then labeled the "BlueHat Prize" -- into an ongoing "BlueHat Bonus for Defense" initiative that will pay researchers up to $50,000 for fresh defensive security solutions.
The big money was reserved for another new program, dubbed "Mitigation Bypass Bounty," that will award up to $100,000 for any novel exploitation technique able to circumvent Windows 8.1's many defenses.
Only the IE11 preview program is a true bug bounty -- one that pays researchers for each unknown vulnerability they report -- but security experts were impressed nonetheless.
"We've waited years for this, and they're doing it in classic Microsoft fashion ... they're putting their own twist on a bug bounty by only paying for bugs in a beta," said Andrew Storms, director of security operations at Tripwire nCircle. "I can see the reasoning behind that, because beta is when bugs ought to be found."
Chris Wysopal, co-founder and CTO of Veracode, a Burlington, Mass. firm that develops application security testing and risk management software, agreed, but couldn't resist poking Microsoft.
"I've been a fan of bug bounties for a long time, and in 2010, after Google started paying for bugs, predicted that Microsoft would, too," said Wysopal. "It took them a good three years to do this. But they came up with a new twist which no one had tried before."
In 2010, Wysopal wrote a blog post in which he forecast that Microsoft would "cave to industry pressure as they are hit with more uncoordinated disclosures than their peers," and kick off a bounty program.
The limited-time IE11 bounty offer was triggered by a realization that researchers waited until after IE10 went final, or reached what Microsoft calls "release to manufacturing," or RTM, to report bugs, said Katie Moussouris, a senior security strategist lead with the company.
IE10, the immediate predecessor to IE11, shipped last October for Windows 8. It reached RTM along with that operating system in late August 2012, having been in beta, or as Microsoft called it, "preview," for almost a year.
"The researchers were looking for vulnerabilities [in IE10], but they were holding on to them," said Moussouris, not reporting them either to Microsoft directly, or more importantly, to the third-party bug bounty brokers like HP TippingPoint's Zero Day Initiative and VeriSign's iDefense, that pay, sometimes handsomely, for vulnerabilities. "We didn't want to wait for all the vulnerabilities until after RTM, because it was much better that we get them as early as possible."
Brokers such as TippingPoint and iDefense have policies that preclude bounties for bugs in betas, in part because there's no way they can know whether the flaws will be fixed or left untouched by the time a product is completed and shipped to customers.
The rewards for IE11 bugs, which range from $500 to over $11,000, are meant to shake those bugs from the researcher trees before IE11 is released to the public.
- Microsoft plans to patch critical under-attack IE bug next week
- Ballmer regrets not aping Apple sooner
- OS upgrades: Cheap is better than pricey, free is better than cheap
- Update: More top-tier Microsoft execs head for the door
- Microsoft ships Office 2013 SP1 the old-fashioned way
- Microsoft's 'go-low' play puts Windows revenue on the line
- Microsoft: Android Nokia not our call to make
- Gates sells another 20M shares; lead over Ballmer shrinks to nearly nothing
- Hey Microsoft, where's the next Mac Office?
- Microsoft dubs 'confusing' Office Web Apps as Office Online
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts