The Microsoft Security Response Center Team (MSRC) announced today that they will be launching a new targeted Windows Bug Bounty program (aptly named the “Windows Bounty Program”), in the hopes of catching vulnerabilities before they can reach the black market. The addition of a Windows Bug Bounty program comes as part of a comprehensive effort by Microsoft to improve their responsiveness and defences against security vulnerabilities.
This new Windows Bug Bounty program will go a long way towards helping identify and patch vulnerabilities in Microsoft’s products, with a focus on remote code execution, privilege escalation, and inherent design flaws.
While users will be limited in their ability to submit patches for the issues found in the Windows bug bounty program as Windows is closed source (which can bring inherent security issues), just having the bug reports themselves will benefit Microsoft substantially with improving the security of their products, as Microsoft will be able to utilize the reports to investigate and patch the issues themselves once they are notified of the issues’ existence.
Microsoft is also remodeling their Hyper-V Bounty Program to substantially increase their maximum payouts, in order to better compete with the prices found for those vulnerabilities on the black market, and to more appropriately compensate developers for finding issues. The new programs will have a maximum payout of $250,000 for a Hyper-V exploit with Remote Code Execution, and a maximum of $200,000 for Windows 10 exploits that are “Novel & fundamental advancement[s] in exploitation technology that universally bypasses current mitigations”.
In addition to the payouts for the first person to discover the bugs, Microsoft is also offering to pay out that’s 10% of the corresponding reward to the first person to report any bugs that are discovered internally but have not been published yet. While not quite the same as the full payout, receiving a partial payout for reporting a vulnerability after Microsoft has already discovered it will help encourage people to report vulnerabilities, as it will alleviate some of the disappointment that usually comes with being told that the bug that you have reported was already discovered.
With this move to expand the scope of their bug bounties, Microsoft joins a long list of companies that have remodelled their bug bounty system in the past year, including Google, Apple, Qualcomm, the United States Air Force, and many others.
It is no coincidence that the list of companies expanding their bug bounty programs is long and growing. Providing rewards for people who report bugs goes a long way towards encouraging people to report them to the company so that they can be fixed, instead of attempting to sell them on the black market. It gives a legitimate route for white hat hackers to make money from analysing your software, helping attract them to your ecosystem and maintain their interest. While it can be difficult to fully compete with the prices that certain exceptional vulnerabilities can go for on the black market, many hackers would much rather deal with legal methods of vulnerability reporting, and every vulnerability you can find and fix helps prevent said vulnerabilities from being used for unsavoury practices that can harm your users.
While bug bounty programs have been around for a long time and have consistently proven their worth, there has been a renewed focus on them as of late due to certain extensive security vulnerabilities that have been recently revealed, including the leaked United States Central Intelligence Agency’s Vault 7, which contained security exploits for Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, iOS, Android, macOS, Linux, and Microsoft Windows, among other targets. Microsoft in particular was heavily affected by security vulnerabilities last year, when it was revealed that the 2012 hacking of LinkedIn (which Microsoft bought last year) was substantially more widespread than had been initially estimated.
If you wish to report a security bug for Microsoft’s bug bounty program, you can email them at email@example.com following their Coordinated Vulnerability Disclosure (CVD) policy. If you have any questions about the program itself, the latest information about Microsoft’s bug bounty programs can be found at https://aka.ms/BugBounty. The Windows Bounty Program is expected to continue indefinitely, although it will likely be tweaked as time goes on to fit the changing security landscape.