Now, the company will also pay out for responders and forensic experts who discover and submit previously unknown techniques that are in the wild – in other words, exploits the researchers have not created themselves.
“We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive,” said Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing, in a blog.
Black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it – zero-days, in other words. Thus the bounty programs are designed to “change the dynamics and the economics of the current vulnerability market,” she said, offering payouts for bugs when other buyers typically are not buying them (e.g., during the preview/beta period).
“By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery,” Moussouris said. This “allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.”
She also put a finer point on the expansion’s greater ramifications for individuals, explaining that the news means Microsoft is evolving the program from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.
Under the new Mitigation Bounty guidelines, organizations and individuals are eligible to submit proof-of-concept code and technical analysis of exploits found in active use in the wild. In addition to the standard bounty amount of up to $100,000, participants are eligible for up to $50,000 more if they also submit a qualifying defense idea.
To participate in the expanded bounty program, organizations must pre-register with Microsoft before turning in a submission by emailing doa@Microsoft.com. After preregistering and signing an agreement, then Microsoft will accept an entry of technical write-up and proof-of-concept code for bounty consideration.
“Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it,” said Moussouris. “Individual bugs are like arrows. The stronger the shield, the less likely any individual bug or arrow can get through. Learning about ‘ways around the shield,’ or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of arrows as opposed to a single bug – hence, we are willing to pay $100,000 for these rare techniques.”