• Motorburn
      Because cars are gadgets
    • Gearburn
      Incisive reviews for the gadget obsessed
    • Ventureburn
      Startup news for emerging markets
    • Jobsburn
      Digital industry jobs for the anti 9 to 5!
microsoft surface ad

Microsoft to crowdsource Windows 8.1 security, offers $100k bounties

It’s about damn time. Microsoft has finally decided to start incentivising, handsomely, anyone that can find security flaws in the world’s most popular desktop operating system. The Redmond gang will cough up US$100 000 for information about security bugs that can be used to break into Windows.

The programme which, starts with the upcoming 8.1 release of Windows, will offer an additional US$50 000 “Defense Bonus” to those cunning hackers who can outline new ways of defending against similar weaknesses from being exploited in the future.

But wait. There’s more. Microsoft will also fork over up to US$11 000 for security flaws in the preview version of Internet Explorer 11. This move is interesting because it now behooves researchers to release their vulnerability findings earlier. Typically companies do not offer rewards for beta software.

Why hasn’t Microsoft done this sooner, after all, this kind of thing has been stock for companies like Facebook, Google and Mozilla for a while now. Four reasons.

The first is that, it’s getting harder to find these exploits. Microsoft is crowdsourcing its security efforts by tapping into the entire world’s security community — professional, freelance or hobby.

Next, hackers are selling their exploits to the highest bidder, sometimes to the government or on the black market where they can be used for espionage or crime. Microsoft’s bounties are high enough to attract enterprising researchers. Forbes reporter Andy Greenberg reported last year that a working Windows exploit could “earn a hacker between US$60 000 and US$120 000 dollars from an intelligence or law enforcement agency, and one that achieves full compromise of a Windows computer through Internet Explorer could earn as much as $200,000.”

The third reason is that Microsoft isn’t detecting vulnerabilities picked up in the wild fast enough. Sure, it offers the Blue Hat prize annually at the Black Hat conference and the grapevine reveals exploits through competitions like Pwn2Own, but that’s way too sporadic for a company that services the majority of the world’s home and corporate desktop computers.

Lastly, more researchers are turning to third-party programmes like HP’s Zero Day Initiative and Verisign’s iDefense to report and exploits. Now there’s a direct line.

Microsoft’s Katie Moussouris says that the bounty programmes announced “will simultaneously encourage those who want to work with us while increasing costs for those whose actions cannot be affected by bounties or other incentive programs.”

Source: Forbes

Author | Martin Carstens: Senior reporter

Martin Carstens: Senior reporter
Obsessed with technology and the future, I write words for machines and people. Born in South Africa, now living in the United States. More
  • Agosto Nuñez

    Microsoft Window’s software is the de facto standard in the world, most hackers are MOST experienced in attacking Windows, Google Chrome O.S., Google Chromium O.S., O.S. X and several others are mostly protected by obscurity, if Microsoft can ”perfect” Windows 8.1 (Blue), it’ll be the safest software in the planet, I bet people will think twice before they call Windows ”unsafe”, Windows 8 is already secure, Windows 8.1 (Blue) is created with security in mind.

  • Pingback: Microsoft to crowdsource Windows 8.1 security, offers $100k bounties – Memeburn | Premium News Updates()

  • Pingback: Microsoft to crowdsource Windows 8.1 security, offers $100k bounties – Memeburn | Finance Chit Chat()

  • speas

    I have a very very hard time seeing any Windows software EVER being the safest on the planet. As great as crowd funding is, using people’s monetary ambitions to further development, I bet this release will be as unsafe as every other – after all, this many years and releases, do you think they would start making good software NOW? Not a chance.