Microsoft on Wednesday sent its first email congratulations to a bug bounty recipient, just a few weeks after throwing its hat into the bug-bounty ring.
The security community has responded to the program with enthusiasm, writes Katie Moussouris, senior security strategist for Microsoft’s Security Resource Center (MSRC), with MSRC already having over a dozen issues to investigate.
I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)
She hasn’t yet named names or put a price tag on the first recipient.
In fact, there are already multiple researchers who’ll be receiving bounty payouts.
MSRC plans to hook up those researchers who want to be publicly recognized for their contributions on an acknowledgement page on its bounty web site. Stay tuned, as it will come soon, Moussouris says.
What Microsoft can share at this point are these two key results:
- They’re getting more submissions, earlier. Microsoft has received more vulnerability reports in the first two weeks of its bounty programs than it typically would in an average month. It shows that the strategy for getting more vulnerability reports earlier in the release cycle is working, it says.
- They’re attracting new researchers. Researchers who’ve rarely, or even never, reported directly to Microsoft are now choosing to talk directly to the company. Microsoft interprets that as proof that its strategy to hear from people it usually doesn’t hear from is bearing fruit.
As Moussouris explains it, Microsoft was canny in how it chose to approach the vulnerability market.
There’s the black market, where zero-day bugs fetch the highest prices. Then there’s the gray market, where bug-hunting mercenaries make a mint selling information about exploit techniques and unpatched vulnerabilities to corporations and nation states.
Microsoft didn’t go there. Instead, it focused on the white market: the place where buyers are after vulnerability information for defensive use, whether it’s vendors themselves (via bounty programs) or a broker who uses the vulnerabilities for their own protection services or threat reports.
Moussouris says that three years ago, white-hat bug hunters were passing up cash on the white market and were instead mostly coming to Microsoft directly.
That changed over the past few years. Microsoft has witnessed researchers increasingly holding bugs back to see what the going rate might reach on the various markets, typically after Microsoft has released code to manufacturing.
The way Microsoft figures it, it’s identified a gap in the market that its new bounty program is filling: namely, in the pre-release, or beta, period.
It's not about offering the most money, but rather about putting attractive bounties out at times where there are few buyers (if any)... Trying to be the highest bidder is a checkers move, and we're playing chess.
There is data out there that bolster Moussouris’ contention that strategically structured, well-timed bounty programs are a good investment.
A study recently released by the University of California, Berkeley reports that paying bounties to independent security researchers is a better investment than hiring employees to do it.
For example, Google’s paid out about $580,000 over three years for 501 Chrome bugs, and Firefox has paid out about $570,000 over the same period for 190 bugs.
Compare that with just one full-time salaried security researcher digging through code, at, say, $100,000 per year, and the savings can be huge.
In fact, the study found that bounty programs “appear to be 2-100 times more cost-effective than hiring expert security researchers to ﬁnd vulnerabilities.”
On top of that, the study found that the participation of a much broader population of people combing through the code means that a greater diversity of bugs are found.
The program, so far, sounds like a win-win-win for the security community, for consumers and for Microsoft.
At this early stage, it looks like it’s helping to find bugs sooner and to work toward the goal of releasing code that’s that much more tightly bolted down.
The crowd-sourcing of bug hunting, meanwhile, looks to be a good way to get a much broader, more diverse collection of vulnerability sightings.
Microsoft will be be doing live judging of Mitigation Bypass Bounty submissions at its booth around noon on 31 July and 1 August at Black Hat, Las Vegas, if you’re in town and want to check it out.