Correction: We said that this was a 3 month programme but Microsoft has informed us that it ends on 1st May making it just 2 months
Microsoft has announced a 3 2 month war on bugs and doubled the money it will pay for any found. From 1 March until 31 May, researchers can earn up to $30,000 for bugs in certain Microsoft products. The increase was published in an updated page on Microsoft TechNet. The news comes two days after Microsoft was again outed by Google’s Project Zero for not patching bugs.
Google outed Microsoft for taking more than 90 days to patch a bug in Windows Explorer and Windows Edge. It has classified that bug as a “high severity” vulnerability. It allows an attacker to remotely execute code on the target machine. Google has not said if it has already seen attacks using this vulnerability but given the period that has elapsed since it informed Microsoft, it is a high probability that code to exploit this is available on hacker forums. More details of this vulnerability and comments from other people can be found here.
What products is Microsoft looking for bugs in?
Microsoft is looking a range of bugs related to five domains. Those are:
- portal.office.com
- outlook.office365.com
- outlook.office.com
- *.outlook.com
- outlook.com
This is a much reduced list from those domains and products covered by its normal bug bounty. There are 18 domains and a further 37 eligible endpoints covered by the standard bug bounty. It is not clear why Microsoft has cut the number of products down so much. It could be related to something Microsoft has detected through its own threat intelligence teams in terms of chatter on Dark Net forums. For now, nobody at Microsoft is available to talk about this.
What type of bugs is Microsoft interested in?
Microsoft is looking for nine different types of bugs. It lists these as:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
To get a pay-out, researchers have to disclose the bug, provide an example and include: “concise retro steps that are easily understood.” Any bug that does not meet the criteria above will not be considered by Microsoft for a payment.
What is the going rate for a bug?
In most cases it is as little as the vendor can get away with. Facebook starts from $500. Internet giant OVH pays up to €20,000. Apple pays out up to $200,000. Microsoft did offer $100,000 a couple of times but its formal programmes was maxed out at $15,000 before this latest double down.
These might sound reasonable numbers but they are peanuts compared to the money researchers can make on the Dark Net. A 0day vulnerability can fetch well over $200,000 depending on what it compromises. Researchers can make even more if they develop the bug and sell it as part of a Malware as a Service platform.
As attractive as those numbers are, the reality is that most researchers earn far less from bounty programmes and the Dark Net. What is needed is for companies to regularly disclose the number of pay-outs and the amounts. This would allow researchers to decide whether to invest their time in one vendor over another.
Conclusion
Bug bounty programmes have been around a long time. They are massively undervalued compared to the costs of dealing with an attack in the wild. The problem is that most of the costs of an attack are not borne by the vendor but by their customers. This may be about to change.
ENISA, a European Union body, has been looking at the issue of liability around autonomous vehicles and software bugs. It has started talks about liability chains and who is responsible. This is a major step forward for the software industry. It generally licenses software on an “as is” basis. This allows them to avoid liability.
What ENISA is doing is creating a framework that maps to consumer laws over liability. Some software vendors could end up with a short, sharp, expensive shock. Security researchers will be hoping so because it will substantially increase pay-outs for bug bounties.
