Microsoft is getting in on the bug-bounty bandwagon, following in the footsteps of Google and Facebook. The technology giant is asking hackers and researchers to help protect its customers and make its products better in exchange for a pocket full of cash.
"Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques," the company said in its announcement. "Our new bounty programs add fresh depth and flexibility to our existing community outreach programs."
Beginning June 26, Microsoft will launch several bounty programs, including Mitigation Bypass Bounty, the BlueHat Bonus for Defense and the Internet Explorer 11 Preview Bug Bounty. Analysts said the programs are a smart move.
Betting on the Bounty
Under the Mitigation Bypass Bounty, Microsoft will pay up to $100,000 for "truly novel exploitation techniques against protections" built into the latest version of its operating system. Microsoft said learning about new exploitation techniques earlier helps the company improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would. This program is ongoing.
The BlueHat Bonus for Defense program promises up to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission. Microsoft said doing so highlights its continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide. This program is also ongoing.
Finally, the IE 11 Preview Bug Bounty offers up to $11,000 for critical vulnerabilities that affect the browser on the latest version of Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 beta period. Microsoft said learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft make the newest version of the browser more secure.
It's About Time
"I think this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it's hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market," said Amol Sarwate, director of Qualys Vulnerability Labs.
"Bug bounty programs are not new and have been implemented previously by Google, Mozilla, PayPal and Facebook to name a few," Sarwate told us. "White market bug bounty programs like HP-Tipping Point's Zero Day Initiative have been around for a few years now. Nevertheless, Microsoft's move is welcome and the prize money certainly trumps other programs."