Four months into its high-profile bug bounty programme, Microsoft has handed out its first jackpot $100,000 (£66,000) bounty to researcher James Forshaw of UK-based consultancy Context Information Security for discovering a potentially serious “mitigation bypass technique.”
The firm is keeping details of the issue to itself until a fix is implemented but to have generated the maximum payment it would have had to have caused problems across a range of Microsoft’s software focussed on the forthcoming Windows 8.1 upgrade.
Launched in June after years holding out against paying bounties, Microsoft’s programme has two levels of payment of which at a maximum of $100,000 mitigation bypass is the most highly-rewarded.
A second reward tier allows bounty hunters to submit a ‘BlueHat’ solution to the mitigation bypass, triggering a further payment of up to $50,000. A nominal third tier for flaws in Internet Explorer 11 Preview edition was time-limited to 30 days and is now closed.
It’s an unorthodox reward system in that it doesn’t place emphasis on software flaws, although Microsoft can get hold of plenty of these indirectly through vendors running their own programmes. Bypasses are attacks that can beat the defences Microsoft builds into its operating system, hence their extra value.
The company has hinted that it might expand the program’s remit in future.
“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack,” said Microsoft’s MSRC senior security strategist, Katie Moussouris.
“This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
In addition to becoming the first researcher to hit the $100,000 bounty, Forshaw separately discovered another $9,400 worth of bugs under the IE11 Preview programme.
“Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count,” commented Context Security’s Forshaw himself.
The programme was based on lateral thinking rather than simply trying to make a programme fall over, as would be the case with conventional bug hunting.
“To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful.”
The company that pioneered bug bounties is TippingPoint (later acquired by HP), which launched its Zero Day Initiative as far back as 2005. At the time it was hugely controversial, seen as rewarding and incentivising hackers to find flaws that might end up being sold to higher blackhat bidders.
The conventional wisdom has now changed dramatically with many large software vendors running some kind of programme, even if Yahoo’s was so chaotic it last week had to admit it had been sending out nothing more interesting than t-shirts to its presumably rather insulted informants. It later announced that it would replace this with conventional bounties of between $150 and $15,000.