homepage Welcome to WebmasterWorld Guest from 54.235.227.60
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Microsoft / Microsoft Corporate
Forum Library, Charter, Moderators: bill

Microsoft Corporate Forum

    
Microsoft Security Bounty Programs
bill




msg:4586301
 3:50 am on Jun 21, 2013 (gmt 0)

http://www.microsoft.com/security/msrc/report/bountyprograms.aspx [microsoft.com]

Microsoft Security Bounty Programs

Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.
  • Mitigation Bypass Bounty - Microsoft will pay up to $100,000 USD for truly novel exploitation techniques
  • BlueHat Bonus for Defense - Microsoft will pay up to $50,000 USD for defensive ideas
  • Internet Explorer 11 Preview Bug Bounty - Microsoft will pay up to $11,000 USD for critical vulnerabilities

 

ergophobe




msg:4587271
 9:22 pm on Jun 24, 2013 (gmt 0)

Why didn't they think of this years ago?

swa66




msg:4587329
 6:20 am on Jun 25, 2013 (gmt 0)

Microsoft has been for years against the idea of paying those that report security flaws to them. There are a number of (security) vendors who will offer a bounty to those who find security bugs in Microsoft products and help to get Microsoft to acknowledge the problem in exchange for the publicity it yields them months to years later when Microsoft acknowledges the bug publicly.

So it's for sure an about face for Microsoft but nothing novel.

Also the scope it quite limited.

Also notice they pay "up to" an amount - not the amount. And knowing how hard it is to get them to acknowledge their products are less than perfect, this is not going to be a reliable income, no matter how skilled you are at it.

phranque




msg:4587331
 6:28 am on Jun 25, 2013 (gmt 0)

truly novel

ergophobe




msg:4587473
 4:26 pm on Jun 25, 2013 (gmt 0)

>> pay "up to" an amount

That's pretty standard for any reward, including information leading to the arrest of a murderer or whatever.

If they turn out to be really cheap about it, they will reap the "benefits", which is to say that people will turn on them and make the situation worse. If they are generous, word will get out and people will really hunt for exploits.

I suppose the great unknown is how many exploits are there? If people start reporting them in massive numbers, it could get too expensive. But if people stop reporting them, it could get expensive.

Now that I think about it, I can see why they hesitated to do something like this. Does anyone know if Google or Apple have similar programs?

swa66




msg:4587548
 8:56 pm on Jun 25, 2013 (gmt 0)

Apple only has a published email address ( product-security@apple.com) to contact them, no bounty program AFAIK. Apple does systematically give credit to those that help them.
(Miscrosoft does too, but only if you follow their rules and have the patience needed for their slow process)

Google has a Bounty program.

Vendors and products:

AT&T: [developer.att.com...]
Avast! [blog.avast.com...]
Barracuda: [barracudalabs.com...]
CCBbill: [ccbill.com...] and [ccbill.com...]
Chromium: [chromium.org...]
Cisco Meraki: [meraki.cisco.com...]
Coinbase (bitcoin): https://coinbase.com/whitehat
Etsy: [etsy.com...]
Facebook: https://www.facebook.com/whitehat/bounty
Gallery: [codex.galleryproject.org...]
Google's program: [google.com...]
Hex ray (IDA): https://www.hex-rays.com/bugbounty.shtml
Mozilla: [mozilla.org...]
Paypal: https://www.paypal.com/webapps/mpp/security-tools/reporting-security-issues
Piwik: [piwik.org...]
Samsung (smart TV): https://samsungtvbounty.com/
Tarsnap: https://www.tarsnap.com/bugbounty.html
Wordpress: [whitefirdesign.com...]
Yandex: [company.yandex.com...]

Intermediaries:

Beyond security: [beyondsecurity.com...]
Coseinc: [coseinc.com...]
Exodusintel: https://www.exodusintel.com/eip/
Exploithub (they sell exploits ina marketplace, I won't link)
Insightpartners: https://gvp.isightpartners.com/program_details.gvp?page=3&title=1&section=0
Packet Storm: [packetstormsecurity.com...]
Secunia: [secunia.com...]
ZDI: [zerodayinitiative.com...]

There are more programs out there, I've not tried to keep a complete list, and there are also quite a few that just give mentions, links, t-shirts and the like - I've also not included those above.

I hope the links are OK. As far as I know none are dangerous to visit. BUT not everything might be suitable for work. Take care if your corporate security is rather tight, they might disapprove of some of the content.

ergophobe




msg:4587853
 2:39 pm on Jun 26, 2013 (gmt 0)

Interesting. I didn't know

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft Corporate
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved