Microsoft’s new programs attract ‘bounty hunters’ who help make safer products

As long as people write code, it’s going to be imperfect. That’s where the class of security researchers colloquially known as “bug hunters” come in, and Microsoft is paying them up to $100,000 via several new bounty programs to catch vulnerabilities, discover techniques that can get past a program’s defenses and even recommend repairs for problems.
“It’s my job to think of new programs to work with the hacker community so we can help protect our customers,” says Katie Moussouris, head of security community and strategy for the Microsoft Security Response Center, and self-dubbed “hacker whisperer.”
Some of the ideas coming from Moussouris and her team are new bounty programs to attract security researchers and hackers who can find bugs in applications and identify the techniques that sneak by defenses built into Windows – and to reward them for that valuable information while a product is still in the beta phase, so it can be fixed before the public uses it.
The Internet Explorer 11 Preview Bounty closed on July 26 after being open for 30 days, since the public release of Internet Explorer 11 Preview at the Microsoft Build Developer Conference in San Francisco. That program focused on reporting bugs and paid out amounts from $500 to $11,000 based on the complexity of the vulnerability and the amount of detail the finders were able to provide to the judging team in charge of evaluating each bug. Moussouris says they received more than 20 submissions for the IE11-specific program.
Two other programs, the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense, are ongoing, ready to pay out up to $100,000 for a truly novel exploitation technique that kneecaps protective systems built into the latest publicly available version of the operating system (Windows 8.1 Preview, also released at Build), and up to a $50,000 bonus for effective defenses against those exploitation techniques. There have been no submissions for these programs yet, but that’s not surprising, Moussouris says, since the number of researchers capable of finding those types of issues number fewer than 1,000 worldwide. The high payouts reflect the high value of mitigation bypasses: While vulnerabilities are one-shot deals and fixed quickly, attackers can use bypass techniques against multiple vulnerabilities. The bounty program wants to yank those powerful techniques out of those attackers’ hands.
Luckily, some may emerge at the Black Hat conference this week in Las Vegas, which will host Live Mitigation Bypass Bounty judging Wednesday and Thursday at the Microsoft booth.
James Forshaw, 35, of London, is one IE11 Preview bounty recipient who has been notified and awarded $1,100 for focusing on bugs that allow for remote control over someone’s machine.
But don’t call Forshaw a hacker, please.
“I probably consider myself more of a tinkerer,” says Forshaw, who is head of vulnerability research at Context Information Security and a former software engineer. “If you say you’re a hacker, you’re bad in some form. If you’re a hacker, the connotation is that you’re an evil hacker who wants to take over systems.” Forshaw prefers to be known as a professional security researcher or consultant.
But, he does admit that... Read the rest of this post ---->
Share on Google Plus

About Doru Somcutean

Hello, my name is Somcutean Doru and I'm from Romania.

I really like to read reviews and see what's new about technology, on D-BLOG I share with you articles/reviews that I find interesting. I also write some reviews in romanian...

My second blog is D-NEWS , here are some movie reviews , my favorite songs or clips that I like...is more like a personal blog...so please don't get in because you'll get really bored.

I hope you like it!

0 comentarii:

Post a Comment