Microsoft claims its new bug bounty is working after announcing it is investigating the first “few” potential security vulnerabilities in beta software that it could pay up to $100,000 for -- even though it still might be outbid by grey market traders.
Microsoft launched its bug bounty two weeks ago and says the program is already paying dividends despite the absence of single payout for new Microsoft bugs.
With up to $100,000 up for grabs, researchers that previously only reported Microsoft flaws to “white market” vulnerability brokers after the software was out of beta have begun reporting it directly to Microsoft ahead of the final release. The bug reports it has received concern the preview versions of Windows 8.1 and Internet Explorer (IE) 11, currently in scope of the program.
“Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over,” Katie Moussouris, head of security community outreach and strategy at Microsoft, wrote in a blog post on Wednesday.
She concludes that “this means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already.”
A fortnight ago Microsoft announced its new Google-like bug bounty program, promising researchers between $500 and $11,000 for critical remote execution vulnerabilities in Internet Explorer 11 Preview and up to $100,000 for attacks that bypass its built-in exploitation prevention techniques in the latest version of Windows.
Researchers have 30 days from June 26 to find and submit their discoveries to Microsoft, which is now assessing whether they pass the mark for a payout.
“We’ve received a few submissions to date for the IE 11 Preview Bug Bounty and the Mitigation Bypass Bounty. The investigations are underway, and we should be able to hit our target of letting those researchers know if they qualify for a bounty by next week,” Katie Moussouris, Head of security community outreach and strategy at Microsoft.
The company will judge some of the mitigation bypasses at the upcoming Black Hat conference in Las Vegas at the end of July.
With the new bug bounty, Microsoft may have insight into new flaws earlier, but the bounty is still not enough to cap the grey market trade in vulnerabilities, which offer entities other than Microsoft the opportunity to own and exploit flaws in widely available software.
Defending a criticism on Twitter that Microsoft believed it was making the highest bid for new vulnerabilities, Moussouris noted that it was not about “being the highest bid” and emphasised it was a monopsony buyer of beta bugs.
However, later, Moussouris conceded that some researchers may be selling bugs in beta Microsoft software to grey market buyers, but countered that “not many researchers have those contacts” and that its program was for white market sellers.
“We're now reaching more [researchers] than before, and getting vulns earlier. Target acquired: white market sellers,” she remarked.
Microsoft’s bigger prize of up to $100,000 is for “novel” mitigation bypasses affecting Windows 8.1 that is capable of exploiting a user mode application that makes use of all Windows mitigation technologies covering stack corruption, heap corruption and code execution.
Last year it paid a researcher $200,000 for a “Blue Hat” prize for a defence against a return-oriented programming (ROP) attack, which has been used to bypass Data Execution Prevention. ROP attacks like this are therefore not eligible.