Welcome to WebmasterWorld Guest from 54.159.19.75

Forum Moderators: bill

Message Too Old, No Replies

Microsoft Security Bounty Programs

     
3:50 am on Jun 21, 2013 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14480
votes: 49


http://www.microsoft.com/security/msrc/report/bountyprograms.aspx [microsoft.com]

Microsoft Security Bounty Programs

Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.
  • Mitigation Bypass Bounty - Microsoft will pay up to $100,000 USD for truly novel exploitation techniques
  • BlueHat Bonus for Defense - Microsoft will pay up to $50,000 USD for defensive ideas
  • Internet Explorer 11 Preview Bug Bounty - Microsoft will pay up to $11,000 USD for critical vulnerabilities
9:22 pm on June 24, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8135
votes: 93


Why didn't they think of this years ago?
6:20 am on June 25, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
posts:4783
votes: 0


Microsoft has been for years against the idea of paying those that report security flaws to them. There are a number of (security) vendors who will offer a bounty to those who find security bugs in Microsoft products and help to get Microsoft to acknowledge the problem in exchange for the publicity it yields them months to years later when Microsoft acknowledges the bug publicly.

So it's for sure an about face for Microsoft but nothing novel.

Also the scope it quite limited.

Also notice they pay "up to" an amount - not the amount. And knowing how hard it is to get them to acknowledge their products are less than perfect, this is not going to be a reliable income, no matter how skilled you are at it.
6:28 am on June 25, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


truly novel
4:26 pm on June 25, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8135
votes: 93


>> pay "up to" an amount

That's pretty standard for any reward, including information leading to the arrest of a murderer or whatever.

If they turn out to be really cheap about it, they will reap the "benefits", which is to say that people will turn on them and make the situation worse. If they are generous, word will get out and people will really hunt for exploits.

I suppose the great unknown is how many exploits are there? If people start reporting them in massive numbers, it could get too expensive. But if people stop reporting them, it could get expensive.

Now that I think about it, I can see why they hesitated to do something like this. Does anyone know if Google or Apple have similar programs?
8:56 pm on June 25, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
posts:4783
votes: 0


Apple only has a published email address ( product-security@apple.com) to contact them, no bounty program AFAIK. Apple does systematically give credit to those that help them.
(Miscrosoft does too, but only if you follow their rules and have the patience needed for their slow process)

Google has a Bounty program.

Vendors and products:

AT&T: [developer.att.com...]
Avast! [blog.avast.com...]
Barracuda: [barracudalabs.com...]
CCBbill: [ccbill.com...] and [ccbill.com...]
Chromium: [chromium.org...]
Cisco Meraki: [meraki.cisco.com...]
Coinbase (bitcoin): [coinbase.com...]
Etsy: [etsy.com...]
Facebook: [facebook.com...]
Gallery: [codex.galleryproject.org...]
Google's program: [google.com...]
Hex ray (IDA): [hex-rays.com...]
Mozilla: [mozilla.org...]
Paypal: [paypal.com...]
Piwik: [piwik.org...]
Samsung (smart TV): [samsungtvbounty.com...]
Tarsnap: [tarsnap.com...]
Wordpress: [whitefirdesign.com...]
Yandex: [company.yandex.com...]

Intermediaries:

Beyond security: [beyondsecurity.com...]
Coseinc: [coseinc.com...]
Exodusintel: [exodusintel.com...]
Exploithub (they sell exploits ina marketplace, I won't link)
Insightpartners: [gvp.isightpartners.com...]
Packet Storm: [packetstormsecurity.com...]
Secunia: [secunia.com...]
ZDI: [zerodayinitiative.com...]

There are more programs out there, I've not tried to keep a complete list, and there are also quite a few that just give mentions, links, t-shirts and the like - I've also not included those above.

I hope the links are OK. As far as I know none are dangerous to visit. BUT not everything might be suitable for work. Take care if your corporate security is rather tight, they might disapprove of some of the content.
2:39 pm on June 26, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8135
votes: 93


Interesting. I didn't know