Feeds

Microsoft breaks bug-bounty virginity in $100,000 contest

Black Hat sets phasers to stun on Windows 8.1 and Internet Explorer 11

Protecting against web application threats using SSL

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las Vegas at that time of year – Microsoft will offer $100,000 (and a laptop) to the hacker who can demonstrate a critical vulnerability in Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they can tell Redmond how to fix a major flaw in the operating system. In addition, there's an $11,000 bounty on Internet Explorer 11 Preview Edition vulnerabilities – but with a 30 day time limit – presumably so that any new problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents point out that cash payouts are the only way for independent security researchers to make a living and that the resulting disclosures have immense benefits for end users. Opponents suggest that hackers should disclose responsibly as a matter of morality. Meanwhile, there's a thriving black market for software flaws, especially zero-day vulnerabilities.

Many software companies, including Google, Paypal, and Facebook, offer bug bounties of varying amounts, and security researchers have reaped millions of dollars and built successful businesses as a result. Redmond has held off from similar policies until now.

Part of the reason for change at Microsoft is the appointment of Katie Moussouris to Redmond's team senior security strategist. She has championed the rights of researchers to disclose flaws without fear of prosecution and pushed for Microsoft to share vulnerability data with third parties at the earliest opportunity. Now she appears to have helped Redmond cross the final frontier.

"Speaking with Katie Moussouris of Microsoft, this has been something that's been hotly debated and discussed internally and externally at Microsoft for a long time," Trey Ford, general manager of Black Hat told The Register. "It took her, I think, three years ago to help get this through the ranks and I'm really excited, this is a really great move I'm hoping to see Apple follow suit."

Apple is still holding out against paying for vulnerability disclosures, and its debut Black Hat briefing last year was a disappointment. It wasn't too long ago that Apple's minions were breaking down journalists' doors in the pursuit of intellectual property, and Cupertino is making a few mistakes of its own on the security front in the meantime.

Getting Microsoft online has been a major coup for the Black Hat conference, but Ford said this year's jamboree (with DEFCON afterwards) covers sessions on security issues in 18 different security areas – a long way from the first conference in 1997, where the two-day event was dominated by enterprise server, ActiveX, and UNIX issues.

Since their inception, Black Hat and DEFCON have provided a forum where the suits of corporate culture and the freer spirits of the security research world can mingle and exchange ideas. As a result, we've seen major flaws patched in the internet's backbone and useful insight into the current security landscape. Long may it continue. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.