Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Launches $100k Bug Bounty Program

samzenpus posted about a year ago | from the bug-hunt dept.

Microsoft 68

Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

Sorry! There are no comments related to the filter you selected.

Question? (1)

Anonymous Coward | about a year ago | (#44055417)

How much does the NSA then pay for the bugs? ;-)

Re:Question? (1)

TapeCutter (624760) | about a year ago | (#44055711)

How much does the NSA then pay for the bugs? ;-)

Doesn't matter, they have 300 million pin numbers to choose from?

Re:Question? (0)

Guppy06 (410832) | about a year ago | (#44055755)

The NSA pays Microsoft $200k to implement the "bug "to begin with, so they're still making a net profit.

Bugs in Windows? Unthinkable! (0, Troll)

linear a (584575) | about a year ago | (#44055451)

Bugs? In Windows? I'm gonna be rich!

Re:Bugs in Windows? Unthinkable! (3, Insightful)

Anonymous Coward | about a year ago | (#44055511)

Now's the time to put up or shut up!

Re:Bugs in Windows? Unthinkable! (3, Insightful)

linear a (584575) | about a year ago | (#44055531)

Slashdotters shut up about Windows? Also unthinkable.

Re:Bugs in Windows? Unthinkable! (3, Interesting)

Bremic (2703997) | about a year ago | (#44056105)

I kind of agree.

However there are some things that will make this nearly impossible to claim even if you manage to find something.

It needs to be new, which means something they didn't know about.
However, they don't need to tell anyone when they learn about something new, which opens a perfect hole for them to say "Oh that one, we knew about that one" even if they didn't.

The line "a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows" is also important. Because if gives them another way out of paying for it. "Oh you are using Windows 8 with security patch 8.12.235321, but we are about to release security patch 8.12.235322 which has already fixed that - so you weren't on the latest version."

These are old tricks, which I have seen used by companies for other things where there is supposedly a reward.

Re:Bugs in Windows? Unthinkable! (2)

SpaceLifeForm (228190) | about a year ago | (#44056487)

May as well make it look like NSA is not paying millions per sploit.

Re:Bugs in Windows? Unthinkable! (1)

tibman (623933) | about a year ago | (#44060697)

If that's the case then you can immediately publish a working exploit as soon as they say they already know about it : ) I think they'd lose that fight, lol

Re:Bugs in Windows? Unthinkable! (0)

Anonymous Coward | about a year ago | (#44069571)

last week i had a new w 8 rt hit my bench it was in lockout i recovered the doc folder with all files readable.made admin desktop and was in give me my money!

Re:Bugs in Windows? Unthinkable! (-1)

Anonymous Coward | about a year ago | (#44055623)

Would that be enough to even put up with Windows 8?

Re:Bugs in Windows? Unthinkable! (0)

ackthpt (218170) | about a year ago | (#44055693)

Bugs? In Windows? I'm gonna be rich!

They're gonna be bankrupt.

Re:Bugs in Windows? Unthinkable! (1)

Shavano (2541114) | about a year ago | (#44056099)

Not likely. It's an "up to" meaning "not more than." Any amount less than $100,001 is in compliance with that policy.

Re:Bugs in Windows? Unthinkable! (-1)

Anonymous Coward | about a year ago | (#44055743)

Bugs? No. These are features. No bounty for you!

Re:Bugs in Windows? Unthinkable! (2, Funny)

Mister Transistor (259842) | about a year ago | (#44055841)

This is old news! I have been getting rich forwarding emails from Microsoft's Email Beta Test program for years now.

That check should be showing up any day now...

Re:Bugs in Windows? Unthinkable! (-1)

Anonymous Coward | about a year ago | (#44055863)

Does "Steve Ballmer" count as a bug? He surely has caused me to give up on Microsoft Windows.

Finally (5, Insightful)

Max DollarCash (2874161) | about a year ago | (#44055481)

Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now. At least now the researchers discovering the bugs have an incentive to sell to microsoft and get the bug fixed instead of selling it to the highest bidder who will probably use it to create either "private"-malware or government-malware. Thank you m$

Re:Finally (2)

linear a (584575) | about a year ago | (#44055539)

Can the MS devs apply to the program for some *very* recent bugs?

Re:Finally (0)

Anonymous Coward | about a year ago | (#44055561)

Just be sure you don't submit the bug report until after the patch with your deliberately-added bug is released.

(If you were not implying that an MS dev might deliberately introduce bugs in order to cash in on this program, please ignore this post.)

Re:Finally (1)

hilather (1079603) | about a year ago | (#44055545)

Not only that, its incentive for other people, who may have access to an unknown zero day to disclose that information to MS for the bounty.

Deal or no deal (1)

TapeCutter (624760) | about a year ago | (#44055673)

Bank offer is $100K, do you take it or risk losing it to someone else while you figure out a "defensive technique" and collect the extra $50K?

Re:Finally (1)

Anonymous Coward | about a year ago | (#44055647)

http://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml

I'm guessing they just give you part of what they get from the NSA now.

Re:Finally (-1)

Anonymous Coward | about a year ago | (#44055893)

It's a trap!

Re:Finally (0)

drinkypoo (153816) | about a year ago | (#44056289)

Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now.

they couldn't afford a bounty like this until Windows 7 was SP'd...

Lets hope they have deep pockets (1)

mrspoonsi (2955715) | about a year ago | (#44055483)

There could be an influx of bug reports, I guess all those zero days waiting in the wings for a buyer, they might be cashed in, which is the whole point of this program, so the question is why did it take 15 years to arrive?

Re:Lets hope they have deep pockets (0)

Anonymous Coward | about a year ago | (#44055519)

Lets hope they have deep pockets

err, it's Microsoft. They are the king of deep pocket spending to achieve a goal.

Metro (0)

Anonymous Coward | about a year ago | (#44055547)

Metro. Eagerly awaiting my check for $100k.

Right..... (-1)

Anonymous Coward | about a year ago | (#44055559)

you: "I found a bug that allows an attacker to compromise the system. Here is a write up of a proof of concept of the bug and a demo of the compromise."
microsoft: "that's not a bug, that a feature."

you go away with no money and being disappointed.

a month later....

windows update: "xyz feature updated."

Re:Right..... (0)

Anonymous Coward | about a year ago | (#44059443)

you: "I found a bug that allows an attacker to compromise the system. Here is a write up of a proof of concept of the bug and a demo of the compromise." microsoft: "that's not a bug, that a feature."

Hacky McHacker: "Then you'll welcome the publicity when I demonstrate that feature. Cheerio!"

microsoft: "Lets not be too hasty mister McHacker..."

Breaking News: Microsoft goes bankrupt. (0, Funny)

Anonymous Coward | about a year ago | (#44055577)

After just one hour since they announced they "100k per bug" program, over 4 million bugs unique bugs were reported. When looking for comment, Steve Ballmer was seen parasailing into the sunset on his golden parachute.

Re:Breaking News: Microsoft goes bankrupt. (0)

Anonymous Coward | about a year ago | (#44055733)

Please note the weasel words "up to" which of course includes 0. How many do you think they will actually pay for?

Re:Breaking News: Microsoft goes bankrupt. (1)

linear a (584575) | about a year ago | (#44060829)

Does "up to" include negative numbers?

Re:Breaking News: Microsoft goes bankrupt. (-1)

Anonymous Coward | about a year ago | (#44057385)

Vista, 7 and 8 _are_ malware. Ballmer, hand me 3x $100k, or else.

Launches? 2013? (-1)

Anonymous Coward | about a year ago | (#44055701)

Isn't this how Bill the Borg made his money?

Rich (0)

Frankie70 (803801) | about a year ago | (#44055717)

Now all those slashdotters who keep insisting that Windows is ridden with security bugs (like they were in the early 2000s) have an opportunity to put up or shut up.

Re: Rich (0, Informative)

Anonymous Coward | about a year ago | (#44056003)

Disregarding the Russian zero day exploit forums, according to Secunia Windows 7 (win 8 is still too young and has only 42 warnings) is ridden by 142 advisories and 294 Vulnerabilities. At least 5% are still not fixed and are highly critically (endangering. Red alert).

Windows and security was and will always be an oxymoron.

Re:Rich (0)

Anonymous Coward | about a year ago | (#44057823)

Why did you even say this?

Why didn't you post it anon at least?

Exploit circle (2, Informative)

Anonymous Coward | about a year ago | (#44055731)

1) Pay for exploits up to 100,000
2) Sell exploits to NSA for up to 200,000, guaranteed unpatched for x days
3) Patch exploit; forcing NSA to buy more exploits
4) Repeat steps
5) Profit!

Why so much? (1)

wisnoskij (1206448) | about a year ago | (#44055997)

So up to a short time ago people did this for free? But now they are worth 100K a pop?

Re:Why so much? (1)

Shavano (2541114) | about a year ago | (#44056111)

Because there has been a body of very effective bug finders who find bugs for profit.

Re:Why so much? (0)

mjwx (966435) | about a year ago | (#44057353)

So up to a short time ago people did this for free? But now they are worth 100K a pop?

Actually it's a $100,000 program, not $100,000 a bug. With the volume of bugs in Windows they will probably be broke in a week offering $5 a pop.

What about XP? (1)

slashmydots (2189826) | about a year ago | (#44056205)

Update: the going price for an exploit in XP is $5 in Xbox Live credit, lol.

I just quit my day job (0)

Anonymous Coward | about a year ago | (#44056419)

time to go hunt me some bugs

Re:I just quit my day job (0)

Z00L00K (682162) | about a year ago | (#44057463)

No problem - Windows itself is a bug.

What about async/await? (0)

elabs (2539572) | about a year ago | (#44056527)

He seems to only be comparing the API that Java and C# have in common. C# has gone way beyond java with async/await, true generics, properties, dynamic objects, the var keyword, and many more features. Sure, they are comparable languages if you just use the subset of C# that maps to Java.

Re:What about async/await? (0)

Anonymous Coward | about a year ago | (#44057115)

Wrong topic!

Re:What about async/await? (0)

Anonymous Coward | about a year ago | (#44057841)

Wrong topic, butttttt.....

Have you ever tried to run a recent C# application in mono?

I agree with your statement, generally... Java and C# are comparable in their respective comparable areas.

It's just that as far as i'm concerned the relative lack of support under linux (let alone anything else, and no i'm not fucking running windowsCE on an embedded device thanks) makes this a no brainer.

lol (-1)

Anonymous Coward | about a year ago | (#44056739)

This move may bankrupt them, their software has more bu... err.. 'features' than they may want to own up to.

Count me in! (0)

elabs (2539572) | about a year ago | (#44056741)

I've always wanted to be a part of one of these. I have no hacker skills but I can spot bugs.

Trol7kore (-1)

Anonymous Coward | about a year ago | (#44056753)

depart0res of [goat.cx]

Bug no. 54321: Mitigating factors... (1)

jkrise (535370) | about a year ago | (#44057047)

will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

In this style: http://technet.microsoft.com/en-us/security/bulletin/ms12-020 [microsoft.com]

Bug no.: 54321
Severity: Critical
FAQ: Allows privilege escalation
Mitigating factors:

1. There are only 3 genuine users of the latest version of our operating system

2. We care a damn about affected earlier versions since those lousy bastards need to upgrade anyway

So it is a bug yes, latest version affected yes, but Bounty for you? No!!

This is clearly an economically sound decision (0)

Anonymous Coward | about a year ago | (#44057551)

I think that by making this decision, Microsoft is clearly slapping the 'slashdot crowd' in the face. Real Hard. They are fucking sick of your hater bullshit. I am with them, personally. They have sound product that has stood the test of time. Fuck you and your slashdot elitist crap. I DARE you to break windows.

I'm fully in support of this. They have the resources and knowledge to fix this from the root up. Just tell them what they did wrong, and they'll fix it. Hate them? too bad... just say whats wrong, and let them please let them fix the world? The rest of them have to deal with Windows... help them live through the pain.

Thanks,
Me

Re:This is clearly an economically sound decision (0)

Anonymous Coward | about a year ago | (#44059021)

What? No, really, what?

Have you ever seen a skid with a botnet? I have, and I have seen quite a few of them.

How do you think these little amateur botnets are created? Spoilers: it's because Windows in all of its incarnations have vulns that skids can exploit without even knowing what TCP means.

Just because you haven't seen the problem first-hand does not mean that it does not exist.

ONE! huge fix Microsoft!. (0)

Anonymous Coward | about a year ago | (#44057877)

Microsoft could have secured the operating system with this steps: At install point, require an Admin password to be set, next, Make the Admin account useless for other use than administrative tasks (including installing software). Then, make a user account with low privileges for regular use.

I have been working as a techie for many years, and most of the problems i have encountered could have avoided if the user was required to log in to the admin account to install crapware.

First bounty (1)

Anonymous Coward | about a year ago | (#44057969)

Dear Microsoft,
    I have found a terrible bug in windows 8. I don't know how it got through testing, but the start button and its menu is missing. It isn't actually letting adversaries *in* to the system but it is letting an awful lot of users *out* of the system. So I'm hopeful that you can stretch the definition of "security bugs" to cover "financial security of Microsoft bugs" and get a check headed my way.

Genius Marketing (1)

Aaron B Lingwood (1288412) | about a year ago | (#44058559)

Can't get people to buy your latest piece of software?
Simply offering a generous bug bounty may be enough to convince technologists to buy and use your software.
While the cost of the program is likely greater than the related sales, said technologists will become accustomed to your new software and push it on to their families, their friends, their neighbours, their customers and their workplaces. Genius marketing is genius.

So Windows 7 and XP users are SOL? (1)

Bearhouse (1034238) | about a year ago | (#44058607)

capable of bypassing the latest existing mitigations in the newest version of Windows

So if someone finds a juicy exploit in Windows 7, then his only potential choices are (a) a pat on the back from Balmer, or (b) sell it to the bad guys?

Pay me $100k to use Windows 8 (0)

Anonymous Coward | about a year ago | (#44058943)

You'd have to pay me $100k to just use Windows 8, let alone find a bug

Metro.... (0)

Anonymous Coward | about a year ago | (#44059385)

The biggest bug is the UI, could someone start a kickstarter to raise funds to pay a bunch of developers to fix that one?

CPU companies don't use "bounties" why does SW? (2)

yayoubetcha (893774) | about a year ago | (#44061095)

As a former validation and verification engineer/manager I find it to be obscene that these big institutions get work performed in V&V for next to nothing (and poorly at that). My team, at a large semiconductor company, comprised of 10 engineers to perform pre-silicon and board-set validation, and subsequently verification. And we were an augment to the designers, and other "silicon" teams, that were doing their own V&V, and "BIOS/EFI" and OS groups doing there own.

The result: perfection on both Silicon and board-sets before first public release (how many updates do you get each month to swap out your CPU or chip-set?). Since software companies can just issue an update, they opt to save a few million dollars (perhaps as much as a few pennies+ per sold unit), and offer $50,000 and $100,000 "bounties". Not only is this not a good way to get the work done (no access to internal documents and engineers), it promotes sloppy engineering as we all experience on an ongoing basis.

It is a shame that software companies rely on "bounty" programs more and more in lieu of proper test-engineering. The result will be fixes, and fixes to the fixes as we have seen from [dare I say 'all'] software companies. Could you imagine how pissed you'd be if your chips from Intel, AMD, Qualcomm, were released with the same quality level as software???

Re:CPU companies don't use "bounties" why does SW? (1)

RightSaidFred99 (874576) | about a year ago | (#44061849)

Apples, meet Oranges.

Re:CPU companies don't use "bounties" why does SW? (1)

yayoubetcha (893774) | about a year ago | (#44063155)

Wrong. SW companies do it because they can get away with it, and people believe "that's just the way it is". Yes it is... sloppy work on the part of SW

Re:CPU companies don't use "bounties" why does SW? (1)

RightSaidFred99 (874576) | about a year ago | (#44063847)

Hardware is much more easily validated, and usually much less easily updated after the fact. And that is just the way it is. Anyone even basically familiar with both would know this.

Re:CPU companies don't use "bounties" why does SW? (1)

yayoubetcha (893774) | about a year ago | (#44064529)

You obviously have NO idea what the hell you are talking about.

My 10 years in silicon and board-set validation has all the validation requirements of SW (chips are coded in languages too even 'C' sometimes), and another dozen+ layers of validation and verification to deal with electrical characteristics, material sciences, environmental, mfg process, and more layers than I care to list. This not only involves test software but all to often test hardware that is used for the very first time (which also needs debugging because of new protocols, probes that work at faster frequencies with each generation). Then dealing with EFI/BIOS and OS people as they point fingers at each other and HW pointing fingers back.

I am done with responding to your ignorance in thinking that SW is easier than HW - that is so absurdly funny.

Re:CPU companies don't use "bounties" why does SW? (0)

Anonymous Coward | about a year ago | (#44067991)

It's easier to validate a CPU (even the most high end of CPUs) than it is to validate an operating system and every service and application that comes with it including drivers and other software that will _later_ run on it for every possible security, functional, or nonfunctional flaw.

Don't be a fucking idiot.

My guess.... (0)

Anonymous Coward | about a year ago | (#44061165)

The NSA needs better exploits.
What better way than to get Micro$oft to pay for them before sharing!
Just saying...

This is a trick (0)

Anonymous Coward | about a year ago | (#44069467)

To get a few more Windows 8 sales
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?