It’s about damn time. Microsoft has finally decided to start incentivising, handsomely, anyone that can find security flaws in the world’s most popular desktop operating system. The Redmond gang will cough up US$100 000 for information about security bugs that can be used to break into Windows.
The programme which, starts with the upcoming 8.1 release of Windows, will offer an additional US$50 000 “Defense Bonus” to those cunning hackers who can outline new ways of defending against similar weaknesses from being exploited in the future.
But wait. There’s more. Microsoft will also fork over up to US$11 000 for security flaws in the preview version of Internet Explorer 11. This move is interesting because it now behooves researchers to release their vulnerability findings earlier. Typically companies do not offer rewards for beta software.
Why hasn’t Microsoft done this sooner, after all, this kind of thing has been stock for companies like Facebook, Google and Mozilla for a while now. Four reasons.
The first is that, it’s getting harder to find these exploits. Microsoft is crowdsourcing its security efforts by tapping into the entire world’s security community — professional, freelance or hobby.
Next, hackers are selling their exploits to the highest bidder, sometimes to the government or on the black market where they can be used for espionage or crime. Microsoft’s bounties are high enough to attract enterprising researchers. Forbes reporter Andy Greenberg reported last year that a working Windows exploit could “earn a hacker between US$60 000 and US$120 000 dollars from an intelligence or law enforcement agency, and one that achieves full compromise of a Windows computer through Internet Explorer could earn as much as $200,000.”
The third reason is that Microsoft isn’t detecting vulnerabilities picked up in the wild fast enough. Sure, it offers the Blue Hat prize annually at the Black Hat conference and the grapevine reveals exploits through competitions like Pwn2Own, but that’s way too sporadic for a company that services the majority of the world’s home and corporate desktop computers.
Microsoft’s Katie Moussouris says that the bounty programmes announced “will simultaneously encourage those who want to work with us while increasing costs for those whose actions cannot be affected by bounties or other incentive programs.”