Microsoft on Monday expanded its $100,000 bounty program, and will accept reports of in-the-wild attacks that demonstrate new techniques of bypassing Windows' anti-exploit technologies.
"This will be pretty disruptive," said Chris Wysopal, co-founder and CTO of Veracode, a Burlington, Mass. company that develops application security testing and risk management software, talking about the impact on cyber criminals. "This is a pretty big bounty for someone doing [security] incident response."
The expanded program lets front-line security researchers, which Microsoft described as "responders and forensics experts," submit reports of unique attack techniques that they have found in active exploits.
The maximum payment remains $100,000, the bar that Microsoft established in June when it kicked off what it called the "Mitigation Bypass Bounty."
Previously, Microsoft only accepted novel and reliable exploit techniques that researchers and academics had devised in the abstract, and which had not been used by actual hackers. The program aimed to acquire information about such techniques -- which could circumvent Windows 8.1's built-in defenses, like DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) and SEHOP (Structured Exception Handling Overwrite Protection) -- before attackers used them so Microsoft could pre-empt exploits by beefing up the OS's protection.
Microsoft has awarded only one $100,000 Mitigation Bypass Bounty, which went to James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, last month.
The change, as one security expert said, brings Microsoft closer to traditional bug bounty programs, which pay for each vulnerability. "[This] is very much riding the line of paying for zero-days," said Andrew Storms, director of DevOps at CloudPassage of San Francisco, in an instant message interview yesterday.
Microsoft declined to answer questions about how the changes were different from a per-bug bounty, with a spokesperson instead pointing to a blog post written by Katie Moussouris, a senior security strategist lead at the company, in which Moussouris likened bug bounties to paying to deflect individual arrows while the Microsoft program pays for information about "ways around the shield."
Security professionals disagreed whether Microsoft had crossed the line to a pay-for-bugs model, which the company has repeatedly said it would not do.
"It sure does seem to boil down to a person or organization has gotten their hands on a new attack method and they turn it over to Microsoft for a payout," said Storms. "Although I guess you could say that they are paying for a technique instead of a payload."
While acknowledging that it was "splitting hairs" to deny that the new program was a bug bounty, Wysopal said that "It's only for mitigation bypasses, it's not just for any zero-day bug. They're not paying for a zero-day [vulnerability] in Windows XP, for example."
Sign up for CIO Asia eNewsletters.