Microsoft tacks up first wanted poster, debuts temp bounty for IE11 bugs

Better late to the party than never, say security experts

1 2 Page 2
Page 2 of 2

"We're projecting that the rewards will be enough to motivate them, so we have a chance of addressing as many [bugs] as possible by RTM, before customers will have deployed the software," said Moussouris in an interview.

Wysopal thought the move made a lot of sense. "It will save them money during the beta," he said. "I've heard that it costs them $100,000 to test and ship a patch."

Both Storms and Wysopal believed that the IE11 program was just a first step by Microsoft into a more comprehensive bounty model, and that the company would add other software to the deal down the road.

"I think they're going to continue this for other software, and they really should. I imagine a lot of people will ask them to do that," said Storms.

"I'm not sure why they wouldn't open it up [to other betas]," echoed Wysopal. "I actually think they will, that this is a way to start out small."

Microsoft's Moussouris declined to answer when asked if the IE11 bounty would be expanded to other programs during their testing, or why it won't continue the program longer than 30 days, and in essence compete with the bug brokers for researchers' discoveries. Instead, she acknowledged only that Microsoft would learn from the IE11 program, go through the data -- the number of vulnerabilities reported, for instance -- and perhaps apply the lessons in the future.

But Moussouris made it sound as if Microsoft had absolutely no interest in launching a full-scale bug bounty, even though, by her own admission, Microsoft was now relying far more on reports from brokers than it did two years ago. "We will not disrupt the [brokers'] business model," she said.

After all, why would Microsoft want to change the landscape? Why would it want to lay out money when it doesn't have to, when bug brokers like TippingPoint and iDefense hand over bugs for free?

That's a point critics have made for years, that the company, with billions in revenue, gets researchers to uncover and submit vulnerabilities, either directly or through the brokers, without spending a dime. Comparisons to Google, which awarded nearly $380,000 in bounties for its Chrome browser alone last year -- and has paid over $213,000 so far this year -- come easy.

Yet yesterday's move, small as it was, still collected praise from the experts.

"This is a big deal for Microsoft because they've been pretty obstinate about not paying for bugs," observed Storms. "They're doing it in a way that's comfortable for them, and when you think about it, it's a great compromise compared to what we've seen from them in the past."

Microsoft has published guidelines for the IE11 Preview Bug Bounty program on its website. As in 2011's BlueHat Prize contest, researchers will retain any intellectual rights related to their discoveries, but must license those rights to Microsoft on a royalty-free basis.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is gkeizer@ix.netcom.com.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon