Many major software companies will
pay a "bug bounty" to the first person who reports a particular
security hole. Bounty amounts vary, but they can range anywhere from a
pat on the back to thousands of dollars. Microsoft's Mitigation Bypass Bounty
operates at a distinctly higher level. In order to claim the $100,000
reward, a research must present a brand-new exploitation technique
that's effective against the very latest version of Windows. This kind
of discovery is quite uncommon, and yet, just three months after
announcing this program, Microsoft today made its first $100,000 award.
A History of Cooperation
I spoke with Katie Moussouris, senior security strategy lead for Microsoft Trustworthy Computing group, about this award and about Microsoft's history of working with researchers and hackers. Moussouris joined about six and a half years ago as a security strategist, but "there was a long history of Microsoft engaging with researchers and hackers, even before my time."
I spoke with Katie Moussouris, senior security strategy lead for Microsoft Trustworthy Computing group, about this award and about Microsoft's history of working with researchers and hackers. Moussouris joined about six and a half years ago as a security strategist, but "there was a long history of Microsoft engaging with researchers and hackers, even before my time."
Moussouris gave as an example the researchers who discovered the vulnerability that powered the Blaster worm.
"Microsoft senior officials visited them in Poland," she said. "They
were recruited... They're still working with us for the past decade."
She noted that Microsoft's regular BlueHat conferences
"bring hackers to Microsoft to meet our people, to educate and
entertain, and make our products more secure." In 2012, Microsoft's
BlueHat Prize contest awarded over $250,000 to three academic researchers who came up with never-before-seen innovations.
Current Bounties
"Three months ago we launched three new bounties," said Moussouris, "two of which are still active." During the first 30 days of the Internet Explorer 11 preview, Microsoft offered ordinary bug bounties. "A lot of researchers were holding on, not reporting bugs, waiting for final release," noted Moussouris. "We decided to encourage them to submit those reports." At the end of that program's 30-day run, six researchers had claimed bug bounties totaling over $28,000.
"Three months ago we launched three new bounties," said Moussouris, "two of which are still active." During the first 30 days of the Internet Explorer 11 preview, Microsoft offered ordinary bug bounties. "A lot of researchers were holding on, not reporting bugs, waiting for final release," noted Moussouris. "We decided to encourage them to submit those reports." At the end of that program's 30-day run, six researchers had claimed bug bounties totaling over $28,000.
The Mitigation Bypass Bounty specifically rewards
researchers who discover a whole new exploitation method. "If we didn't
already know about return-oriented programming,"
said Moussouris, "that discovery would have earned $100,000." It's not
just pie-in-the-sky research, either. A researcher who wants to claim
this bounty must supply a working proof-of-concept program that
demonstrates the exploitation technique.
"There were only three ways an organization could
learn about these attacks in the past," noted Moussouris. "First, our
internal researchers would come up with something. Second, it would
appear in an exploitation contest like Pwn2Own.
Third, and worst, it would surface in an active attack." She explained
that the current bounty program is available year-round, not just at a
competition. "If you're a researcher who wants to play nice, who wants
to protect people, there's a bounty available now. You do not have to wait."
And the Winner Is...
Moussouris estimates that discoveries big enough to merit a bounty only happen every three years or so. Her team was surprised and pleased to find a worthy recipient just three months after the bounty program began. James Forshaw, Head of Vulnerability Research for UK-based Context Information Security, becomes the first to receive the Mitigation Bypass Bounty.
Moussouris estimates that discoveries big enough to merit a bounty only happen every three years or so. Her team was surprised and pleased to find a worthy recipient just three months after the bounty program began. James Forshaw, Head of Vulnerability Research for UK-based Context Information Security, becomes the first to receive the Mitigation Bypass Bounty.
In an email to SecurityWatch, Forshaw had this to say:
"Microsoft's Mitigation Bypass Bounty is very important to help shift
the focus of bounty programs from offence to defence. It incentivises
researchers like me to commit time and effort to security in depth
rather than just striving for the total vulnerability count." Forshaw
continued, "To find my winning entry I studied the mitigations available
today and after brainstorming I identified a few potential angles. Not
all were viable but after some persistence I was finally successful."
As for exactly what Forshaw discovered, that won't be
revealed right away. The whole point is to give Microsoft time to set up
defenses before the bad guys make the same discovery, after all!
No comments:
Post a Comment