Feeds

Microsoft breaks bug-bounty virginity in $100,000 contest

Black Hat sets phasers to stun on Windows 8.1 and Internet Explorer 11

Internet Security Threat Report 2014

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las Vegas at that time of year – Microsoft will offer $100,000 (and a laptop) to the hacker who can demonstrate a critical vulnerability in Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they can tell Redmond how to fix a major flaw in the operating system. In addition, there's an $11,000 bounty on Internet Explorer 11 Preview Edition vulnerabilities – but with a 30 day time limit – presumably so that any new problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents point out that cash payouts are the only way for independent security researchers to make a living and that the resulting disclosures have immense benefits for end users. Opponents suggest that hackers should disclose responsibly as a matter of morality. Meanwhile, there's a thriving black market for software flaws, especially zero-day vulnerabilities.

Many software companies, including Google, Paypal, and Facebook, offer bug bounties of varying amounts, and security researchers have reaped millions of dollars and built successful businesses as a result. Redmond has held off from similar policies until now.

Part of the reason for change at Microsoft is the appointment of Katie Moussouris to Redmond's team senior security strategist. She has championed the rights of researchers to disclose flaws without fear of prosecution and pushed for Microsoft to share vulnerability data with third parties at the earliest opportunity. Now she appears to have helped Redmond cross the final frontier.

"Speaking with Katie Moussouris of Microsoft, this has been something that's been hotly debated and discussed internally and externally at Microsoft for a long time," Trey Ford, general manager of Black Hat told The Register. "It took her, I think, three years ago to help get this through the ranks and I'm really excited, this is a really great move I'm hoping to see Apple follow suit."

Apple is still holding out against paying for vulnerability disclosures, and its debut Black Hat briefing last year was a disappointment. It wasn't too long ago that Apple's minions were breaking down journalists' doors in the pursuit of intellectual property, and Cupertino is making a few mistakes of its own on the security front in the meantime.

Getting Microsoft online has been a major coup for the Black Hat conference, but Ford said this year's jamboree (with DEFCON afterwards) covers sessions on security issues in 18 different security areas – a long way from the first conference in 1997, where the two-day event was dominated by enterprise server, ActiveX, and UNIX issues.

Since their inception, Black Hat and DEFCON have provided a forum where the suits of corporate culture and the freer spirits of the security research world can mingle and exchange ideas. As a result, we've seen major flaws patched in the internet's backbone and useful insight into the current security landscape. Long may it continue. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.