Feeds

Microsoft breaks bug-bounty virginity in $100,000 contest

Black Hat sets phasers to stun on Windows 8.1 and Internet Explorer 11

Top 5 reasons to deploy VMware with Tegile

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las Vegas at that time of year – Microsoft will offer $100,000 (and a laptop) to the hacker who can demonstrate a critical vulnerability in Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they can tell Redmond how to fix a major flaw in the operating system. In addition, there's an $11,000 bounty on Internet Explorer 11 Preview Edition vulnerabilities – but with a 30 day time limit – presumably so that any new problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents point out that cash payouts are the only way for independent security researchers to make a living and that the resulting disclosures have immense benefits for end users. Opponents suggest that hackers should disclose responsibly as a matter of morality. Meanwhile, there's a thriving black market for software flaws, especially zero-day vulnerabilities.

Many software companies, including Google, Paypal, and Facebook, offer bug bounties of varying amounts, and security researchers have reaped millions of dollars and built successful businesses as a result. Redmond has held off from similar policies until now.

Part of the reason for change at Microsoft is the appointment of Katie Moussouris to Redmond's team senior security strategist. She has championed the rights of researchers to disclose flaws without fear of prosecution and pushed for Microsoft to share vulnerability data with third parties at the earliest opportunity. Now she appears to have helped Redmond cross the final frontier.

"Speaking with Katie Moussouris of Microsoft, this has been something that's been hotly debated and discussed internally and externally at Microsoft for a long time," Trey Ford, general manager of Black Hat told The Register. "It took her, I think, three years ago to help get this through the ranks and I'm really excited, this is a really great move I'm hoping to see Apple follow suit."

Apple is still holding out against paying for vulnerability disclosures, and its debut Black Hat briefing last year was a disappointment. It wasn't too long ago that Apple's minions were breaking down journalists' doors in the pursuit of intellectual property, and Cupertino is making a few mistakes of its own on the security front in the meantime.

Getting Microsoft online has been a major coup for the Black Hat conference, but Ford said this year's jamboree (with DEFCON afterwards) covers sessions on security issues in 18 different security areas – a long way from the first conference in 1997, where the two-day event was dominated by enterprise server, ActiveX, and UNIX issues.

Since their inception, Black Hat and DEFCON have provided a forum where the suits of corporate culture and the freer spirits of the security research world can mingle and exchange ideas. As a result, we've seen major flaws patched in the internet's backbone and useful insight into the current security landscape. Long may it continue. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.