|Microsoft Security Bounty Programs|
| 3:50 am on Jun 21, 2013 (gmt 0)|
|Microsoft Security Bounty Programs |
Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.
- Mitigation Bypass Bounty - Microsoft will pay up to $100,000 USD for truly novel exploitation techniques
- BlueHat Bonus for Defense - Microsoft will pay up to $50,000 USD for defensive ideas
- Internet Explorer 11 Preview Bug Bounty - Microsoft will pay up to $11,000 USD for critical vulnerabilities
| 9:22 pm on Jun 24, 2013 (gmt 0)|
Why didn't they think of this years ago?
| 6:20 am on Jun 25, 2013 (gmt 0)|
Microsoft has been for years against the idea of paying those that report security flaws to them. There are a number of (security) vendors who will offer a bounty to those who find security bugs in Microsoft products and help to get Microsoft to acknowledge the problem in exchange for the publicity it yields them months to years later when Microsoft acknowledges the bug publicly.
So it's for sure an about face for Microsoft but nothing novel.
Also the scope it quite limited.
Also notice they pay "up to" an amount - not the amount. And knowing how hard it is to get them to acknowledge their products are less than perfect, this is not going to be a reliable income, no matter how skilled you are at it.
| 6:28 am on Jun 25, 2013 (gmt 0)|
| 4:26 pm on Jun 25, 2013 (gmt 0)|
>> pay "up to" an amount
That's pretty standard for any reward, including information leading to the arrest of a murderer or whatever.
If they turn out to be really cheap about it, they will reap the "benefits", which is to say that people will turn on them and make the situation worse. If they are generous, word will get out and people will really hunt for exploits.
I suppose the great unknown is how many exploits are there? If people start reporting them in massive numbers, it could get too expensive. But if people stop reporting them, it could get expensive.
Now that I think about it, I can see why they hesitated to do something like this. Does anyone know if Google or Apple have similar programs?
| 8:56 pm on Jun 25, 2013 (gmt 0)|
Apple only has a published email address ( firstname.lastname@example.org) to contact them, no bounty program AFAIK. Apple does systematically give credit to those that help them.
(Miscrosoft does too, but only if you follow their rules and have the patience needed for their slow process)
Google has a Bounty program.
Vendors and products:
CCBbill: [ccbill.com...] and [ccbill.com...]
Cisco Meraki: [meraki.cisco.com...]
Coinbase (bitcoin): https://coinbase.com/whitehat
Google's program: [google.com...]
Hex ray (IDA): https://www.hex-rays.com/bugbounty.shtml
Samsung (smart TV): https://samsungtvbounty.com/
Beyond security: [beyondsecurity.com...]
Exploithub (they sell exploits ina marketplace, I won't link)
Packet Storm: [packetstormsecurity.com...]
There are more programs out there, I've not tried to keep a complete list, and there are also quite a few that just give mentions, links, t-shirts and the like - I've also not included those above.
I hope the links are OK. As far as I know none are dangerous to visit. BUT not everything might be suitable for work. Take care if your corporate security is rather tight, they might disapprove of some of the content.
| 2:39 pm on Jun 26, 2013 (gmt 0)|
Interesting. I didn't know