Jun 19 2013
When Katie Moussouris is so excited about something she’s almost vibrating, you know it has to be big. So when she came Chris John Riley and I earlier this week and said she had news from Microsoft, we had to make time to talk to her. Katie’s been working on the Microsoft Bug Bounty program for over three years and it’s no wonder; getting a company like Microsoft to recognize the importance of working with the researcher community as early in the process as possible, and getting the funding to make it happen is no small feat.
The basics of the three programs are like this: Researchers who develop novel, new exploitation techniques (not just bugs, but new techniques) can receive $100,000 for the technique. If they also come up with a mitigation technique for the exploitation, they can receive another $50,000. The third program is specific to IE 11 which gives researchers the opportunity to earn $11,000 per bug for the first month of the beta for IE 11.
It’ll be interesting to see how other companies respond to Microsoft’s move. Rather than simply wait for the vulnerability
pimps resellers to bring up exploitation techniques and vulnerabilities to Microsoft once the product has been released, this encourages them to do the same during the development lifecycle, and at a healthy rate. Will other vendors be able to do the same, will they cast aspersions on Microsoft’s efforts, or will they simply pretend it never happened? Only time will tell.