14 DAY TRIAL // Microsoft has recently launched several new bounty programs for its products, agreeing to pay security researchers across the world for finding bugs and vulnerabilities in a number of solutions, including Windows 8.1 and Internet Explorer.
Of course, the first findings arrived pretty quickly and a handful of researchers received hefty rewards for the information they submitted to Microsoft, but everyone’s still wondering how come the software giant decided to launch such bug bounty programs after all.
In the last decade, Microsoft refused to do so and, instead of paying for finding bugs and vulnerabilities in its software, the company decided to mention the name of the researchers in the security advisories it released to users. In 2010 alone, no less than 90 percent of the reports were submitted to Microsoft at absolutely no cost, CRN reports today.
That, however, changed recently, and Katie Moussouris, senior security strategist lead at Microsoft, explained at the RSA 2014 security conference in San Francisco that Redmond actually wants to disrupt the black market and not compete with it, as it has found that, in many cases, researchers could earn lots of money by selling the vulnerabilities they find in various software products.
Microsoft itself admits that it wants to get closer to researchers by paying for their findings, especially as it continues the struggle to make both Windows and Internet Explorer more secure.
“Our new bounty programs add expanded depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers,” the company said.
“At the heart of our community outreach programs, we’ve always had the same philosophy: help increase the win-win between Microsoft’s customers and the security research community. We have evolved and deepened our relationships with this community since the earliest days of Microsoft’s outreach.”
On June 26, 2013, Microsoft launched three different bug bounty programs, agreeing to pay no less than $100,000 (€73,000) for flaws found in Windows, $50,000 (€36,500) for “defensive ideas that accompany a qualifying Mitigation Bypass submission,” and $11,000 (€8,000) for Internet Explorer 11 security flaws.
The company has promised to continue launching similar bug bounty programs especially because it will soon release a new wave of products, including Windows 8.1 Update 1 and then Windows 9. Both operating systems will receive multiple enhancements, with security to obviously play a decisive role in the overall sales performance.