Microsoft (NASDAQ: MSFT) is joining the likes of Google (NASDAQ: GOOG), Mozilla, PayPal and Facebook (NYSE: FB) in offering payment to researchers who find vulnerabilities in their software--a so-called bug bounty program.
Microsoft announced this week that it is launching a bug bounty program on June 26 that would provide a number of prizes to researchers who uncover various holes in its products.
The program includes a prize of up to $100,000 for finding a "truly novel" way around security protections in the company's Windows 8.1 Preview operating system, another potential $50,000 for providing a fix to that security bypass and up to $11,000 for finding critical holes in the beta version of its Internet Explorer 11 browser. The last bounty is only good for 30 days.
In a blog post explaining the new program, Katie Moussouris, senior security strategist with Microsoft Security Response Center, wrote: "For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community."
Last year, Microsoft began offering Blue Hat prizes to hackers who came up with defensive measures to protect Microsoft products. However, until this week, the company had resisted paying researchers to go out and find vulnerabilities in its products.
HP (NYSE: HPQ) has a bug bounty program known as the Zero Day Initiative (ZDI) to reward researchers for finding and disclosing any critical vulnerabilities, not just holes, in HP's products. In response to the Microsoft announcement, Brian Gorenc, manager of the ZDI at HP Security Research, said in a statement: "It's great to see Microsoft embracing the independent research community with their new bug bounty program. Engaging this community to improve software security is a core directive of HP's Zero Day Initiative."
Gorenc noted that half of the 76 critical holes reported by Microsoft so far in 2013 are the result of work by ZDI. "As Microsoft leverages their new program to enhance the security of their beta offerings, HP ZDI will continue helping Microsoft secure their flagship software by disclosing vulnerabilities in programs like Internet Explorer 9 and 10, Office, and the core Windows OS," he added.
Amol Sarwate, director of Qualys Vulnerability Labs, wrote in a blog post that "this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it's hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market."
For more:
- see Microsoft's announcement
- read Moussouris' blog post
- check out Sarwate's blog post
Related articles:
June's Patch Tuesday looks like light, but important
Attackers could gain control of infected systems through Microsoft Office, Lync holes
Microsoft pulls security update after it causes 'blue screen of death'
Microsoft announced this week that it is launching a bug bounty program on June 26 that would provide a number of prizes to researchers who uncover various holes in its products.
The program includes a prize of up to $100,000 for finding a "truly novel" way around security protections in the company's Windows 8.1 Preview operating system, another potential $50,000 for providing a fix to that security bypass and up to $11,000 for finding critical holes in the beta version of its Internet Explorer 11 browser. The last bounty is only good for 30 days.
In a blog post explaining the new program, Katie Moussouris, senior security strategist with Microsoft Security Response Center, wrote: "For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community."
Last year, Microsoft began offering Blue Hat prizes to hackers who came up with defensive measures to protect Microsoft products. However, until this week, the company had resisted paying researchers to go out and find vulnerabilities in its products.
HP (NYSE: HPQ) has a bug bounty program known as the Zero Day Initiative (ZDI) to reward researchers for finding and disclosing any critical vulnerabilities, not just holes, in HP's products. In response to the Microsoft announcement, Brian Gorenc, manager of the ZDI at HP Security Research, said in a statement: "It's great to see Microsoft embracing the independent research community with their new bug bounty program. Engaging this community to improve software security is a core directive of HP's Zero Day Initiative."
Gorenc noted that half of the 76 critical holes reported by Microsoft so far in 2013 are the result of work by ZDI. "As Microsoft leverages their new program to enhance the security of their beta offerings, HP ZDI will continue helping Microsoft secure their flagship software by disclosing vulnerabilities in programs like Internet Explorer 9 and 10, Office, and the core Windows OS," he added.
Amol Sarwate, director of Qualys Vulnerability Labs, wrote in a blog post that "this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it's hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market."
For more:
- see Microsoft's announcement
- read Moussouris' blog post
- check out Sarwate's blog post
Related articles:
June's Patch Tuesday looks like light, but important
Attackers could gain control of infected systems through Microsoft Office, Lync holes
Microsoft pulls security update after it causes 'blue screen of death'