Feeds

Microsoft breaks bug-bounty virginity in $100,000 contest

Black Hat sets phasers to stun on Windows 8.1 and Internet Explorer 11

Seven Steps to Software Security

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las Vegas at that time of year – Microsoft will offer $100,000 (and a laptop) to the hacker who can demonstrate a critical vulnerability in Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they can tell Redmond how to fix a major flaw in the operating system. In addition, there's an $11,000 bounty on Internet Explorer 11 Preview Edition vulnerabilities – but with a 30 day time limit – presumably so that any new problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents point out that cash payouts are the only way for independent security researchers to make a living and that the resulting disclosures have immense benefits for end users. Opponents suggest that hackers should disclose responsibly as a matter of morality. Meanwhile, there's a thriving black market for software flaws, especially zero-day vulnerabilities.

Many software companies, including Google, Paypal, and Facebook, offer bug bounties of varying amounts, and security researchers have reaped millions of dollars and built successful businesses as a result. Redmond has held off from similar policies until now.

Part of the reason for change at Microsoft is the appointment of Katie Moussouris to Redmond's team senior security strategist. She has championed the rights of researchers to disclose flaws without fear of prosecution and pushed for Microsoft to share vulnerability data with third parties at the earliest opportunity. Now she appears to have helped Redmond cross the final frontier.

"Speaking with Katie Moussouris of Microsoft, this has been something that's been hotly debated and discussed internally and externally at Microsoft for a long time," Trey Ford, general manager of Black Hat told The Register. "It took her, I think, three years ago to help get this through the ranks and I'm really excited, this is a really great move I'm hoping to see Apple follow suit."

Apple is still holding out against paying for vulnerability disclosures, and its debut Black Hat briefing last year was a disappointment. It wasn't too long ago that Apple's minions were breaking down journalists' doors in the pursuit of intellectual property, and Cupertino is making a few mistakes of its own on the security front in the meantime.

Getting Microsoft online has been a major coup for the Black Hat conference, but Ford said this year's jamboree (with DEFCON afterwards) covers sessions on security issues in 18 different security areas – a long way from the first conference in 1997, where the two-day event was dominated by enterprise server, ActiveX, and UNIX issues.

Since their inception, Black Hat and DEFCON have provided a forum where the suits of corporate culture and the freer spirits of the security research world can mingle and exchange ideas. As a result, we've seen major flaws patched in the internet's backbone and useful insight into the current security landscape. Long may it continue. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.