Feeds

Microsoft breaks bug-bounty virginity in $100,000 contest

Black Hat sets phasers to stun on Windows 8.1 and Internet Explorer 11

Intelligent flash storage arrays

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las Vegas at that time of year – Microsoft will offer $100,000 (and a laptop) to the hacker who can demonstrate a critical vulnerability in Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they can tell Redmond how to fix a major flaw in the operating system. In addition, there's an $11,000 bounty on Internet Explorer 11 Preview Edition vulnerabilities – but with a 30 day time limit – presumably so that any new problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents point out that cash payouts are the only way for independent security researchers to make a living and that the resulting disclosures have immense benefits for end users. Opponents suggest that hackers should disclose responsibly as a matter of morality. Meanwhile, there's a thriving black market for software flaws, especially zero-day vulnerabilities.

Many software companies, including Google, Paypal, and Facebook, offer bug bounties of varying amounts, and security researchers have reaped millions of dollars and built successful businesses as a result. Redmond has held off from similar policies until now.

Part of the reason for change at Microsoft is the appointment of Katie Moussouris to Redmond's team senior security strategist. She has championed the rights of researchers to disclose flaws without fear of prosecution and pushed for Microsoft to share vulnerability data with third parties at the earliest opportunity. Now she appears to have helped Redmond cross the final frontier.

"Speaking with Katie Moussouris of Microsoft, this has been something that's been hotly debated and discussed internally and externally at Microsoft for a long time," Trey Ford, general manager of Black Hat told The Register. "It took her, I think, three years ago to help get this through the ranks and I'm really excited, this is a really great move I'm hoping to see Apple follow suit."

Apple is still holding out against paying for vulnerability disclosures, and its debut Black Hat briefing last year was a disappointment. It wasn't too long ago that Apple's minions were breaking down journalists' doors in the pursuit of intellectual property, and Cupertino is making a few mistakes of its own on the security front in the meantime.

Getting Microsoft online has been a major coup for the Black Hat conference, but Ford said this year's jamboree (with DEFCON afterwards) covers sessions on security issues in 18 different security areas – a long way from the first conference in 1997, where the two-day event was dominated by enterprise server, ActiveX, and UNIX issues.

Since their inception, Black Hat and DEFCON have provided a forum where the suits of corporate culture and the freer spirits of the security research world can mingle and exchange ideas. As a result, we've seen major flaws patched in the internet's backbone and useful insight into the current security landscape. Long may it continue. ®

Internet Security Threat Report 2014

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.