ANALYSIS: Why Microsoft is willing to pay bug bounties

Byron Acohido | USA TODAY

SEATTLE – In a game changing move, Microsoft has reversed its longstanding ban on paying hackers for information about freshly discovered security holes – and instead is now offering rich bounties for notice of new Windows bugs.

Microsoft has long benefited from the bug bounty programs of other vendors, especially Google and Mozilla. But it is now offering three new programs to encourage and compensate so-called gray hat and white hat researchers who spend their days hunting down fresh security flaws in Microsoft products.

Hackers can now claim bounties of up to $100,000, depending on the type of bug discovered. For instance, Microsoft will pay $11,000 hard cash for any bugs found in its upcoming Internet Explorer 11 browser software.

HISTORICAL CONTEXT: The long road from Code Red

"Microsoft entering the game is a big changer because they are a large traditional software vendor," says Chris Wysopal, chief technology officer at application security vendor Veracode. "People are waiting to see if Oracle, Cisco, or SAP follow suit."

Microsoft has come full circle in the hacking community's fractious "full disclosure" debate. Black hat, white hat and gray hat hackers have been relentlessly exposing new Windows bugs since the 1990s.

White hats argue that the intense scrutiny compels software vendors, like Microsoft, to take security more seriously and patch security flaws with more alacrity. Black hats hunt for bugs, too, but with criminal intent. Gray hats sometimes contribute to the cause of good, and at other times behave more like black hats.

Each newly disclosed Windows bug sets off a race to get the new vulnerability patched across the massive breadth of WIndows PCs, laptops and servers -- before the bad guys can take advantage. That phenomenon now happens at such a frenzied scale that Microsoft has taken to issuing security patches on the first Tuesday of each month to maintain a semblance of order.

Bug bounty programs came along in 2004 as a way encourage gray hats and white hats to work with vendors to fix problems instead of disclosing new bugs without vendor coordination. Mozilla Foundation began the first vendor bug bounty offering $500 for submitting security bugs to them. Over the next two years big companies like Google and Facebook followed suit.

"The programs have become more sophisticated with particular severities and types of flaws paying higher bounties," says Wysopal. "Huge bounties have been aimed at the most challenging problems. These programs allow vendors to tap into a set of smart people working on exactly the same problem that they want to solve."

Google pays up to $20,000 for notification of bugs that impact its important products and web properities; Facebook pays bounties of $500 -- and sometimes a lot more -- for security bugs discovered lurking in its social media properties.

Bounties help "massively," says Trey Ford, general manager of the Black Hat cybersecurity conference. Cash is best when it comes to demonstrating that software companies who tend to rush products to market actually value the gray hat and white hat researchers who, essentially, perform a critical quality control function.

"Discussing vulnerabilities has always been a challenging discussion," Ford says. "The researchers did a great deal of super technical, tedious and time intensive work for no thanks beyond a legal discussion, or a slap in the face."

Now Microsoft is finally acknowledging gray hats and white hats -- with its check book. "The value comes from the business actually understanding the importance of security, and the downstream impacts and ramifications to their business and customers," Ford says.

Mike Reavey, director of Microsoft's Security Response Center, tells CyberTruth that in the past researchers willingly reported a vast majority of bugs directly to Redmond "so there wasn't a need to offer a bounty program."

Reavey says that Redmond still receives the majority of bug disclosures directly from researchers. "But the market has shifted and more researchers are going through vulnerability brokers, which means that we don't get vulnerability information as early as we would like," Reavy explains.

In a blog posting, Katie Moussouris, a senior security strategist at Microsoft Security Response Center, says Microsoft is paying cash bounties in order to "increase the win-win between Microsoft's customers and the security researcher community."

Moussouris asserts that Microsoft hopes to "encourage the security research community to report vulnerabilities in the latest browser and exploitation techniques across the latest platform to Microsoft as early as possible. "