Many are unhappy that the program is limited to certain types of security holes

Jun 22, 2013 07:34 GMT  ·  By

Earlier this week, Microsoft launched three bug bounty programs. Security experts who find vulnerabilities in Windows 8.1 Preview and in Internet Explorer 11 will be rewarded with $100,000 (€75,500), respectively $11,000 (€8,300).

Researchers who come up with efficient defensive ideas that accompany a qualifying Mitigation Bypass submission will be rewarded with $50,000 (€37,800).

We’ve reached out to several experts who have reported vulnerabilities to Microsoft to find out what they think of the new bug bounty programs.

“I am happy to see the new official program updates. The rules are complex, the scope is officially given and the guidelines are excellent. They have also a great team of judges to process the verifications – like Brandon, Nate and also the German Mario Heidenreich,” Vulnerability Lab CEO Benjamin Kunz-Mejri told us.

“I am sure the program will be extended soon with more important Microsoft products.”

Others also applaud Microsoft’s decision, but they too hope that the bug bounty program will be extended to incorporate other types of security holes as well.

“It’s nice that Microsoft has finally jumped into a bug bounty program. But this program is limited to software bugs. We all know that the world is moving towards web applications. So, Microsoft should expand this program to web apps,” Deepanker Verma, owner and founder of Techlomedia and Hackingtricks, said.

“Currently, Microsoft lists security researchers to its acknowledgement pages. But announcing a bug bounty for its web apps will surely help Microsoft in makings its web apps secure. Although, the company has its bug bounty program for software bugs, but payment is good enough to attract security researchers,” he added.

“Its new bug bounty program will help in improving its products, making them better and more secure. I hope the company will expand its program and add web services in the program. “

Rafay Baloch, security researcher and owner of rafayhackingarticles.net, agrees.

“The Microsoft's bug bounty is not related to website bugs, it's only related to software bugs. So not many people would be participating in it. With that being said, the most interesting part would be the browser bugs, since IE has been beaten lots of times in the past, it would be interesting to see if someone can break it once again,” he commented.

“It's good to see Microsoft finally paying researchers for vulnerabilities in their software products, just like Google Chromium Bug Bounty program or ZDI. But personally I would say it could have been cooler (and better) if they had added their web services into the program,” security researcher Prakhar Prasad noted.

“Reward amounts in MS Bug Bounty are no doubt mind boggling but they could have lessened the amount and provided opportunities to web bug hunters too, from my personal opinion their web security is not up to the mark,” Prasad said.

“Google and Facebook are playing a good game, by giving opportunities to software and as well as web bug hunters they are getting the best of both worlds. As always no one can claim 100% security, it is always a community effort to make the things secure.”

Pakistani security researcher Mirza Burhan Baig has also shared his opinion on Microsoft’s new bug bounty program.

“In my views, Microsoft has started a new way by offering these, but Microsoft's officials should put some light on the web level security, as we find security flaws by working day and night, they just put the name,” he explained.

“I personally think that Microsoft should launch the Bug Bounty Program for [website vulnerabilities], as they are a bigger company than Google and Facebook in terms of revenue, so they can afford it. Or they have to take some time and make a team to test the domains,” he added.

“Because Facebook pays for a stored XSS $3500, Google pays $1000+, even smaller companies pay. I just got $100 for reporting XSS to besnappy.com, while on the other hand Microsoft just puts the name of the researcher on its website. This is also a good things, but the thing which motivates the researcher, is the $, because everyone is working hard day and nights, so he/she must be rewarded.”

We’ve reached out to Microsoft to find out if it plans on adding web vulnerabilities to the bug bounty program anytime soon.

“These new programs build on our focus of direct investments in the security research community, and we’ll evaluate and determine our next evolution of programs as part of our continued efforts to help keep customers safe,” said Dustin Childs, group manager response communications, Microsoft Trustworthy Computing.