Bug bounty programs are one of the most high-profile tools of organizations looking to improve their software security, with companies like Google and HP dishing out sums ranging from several hundred dollars to massive prizes of tens of thousands of dollars for major exploits. Recently, Microsoft joined in the practice for the first time, announcing its own ambitious bug bounty programs. As one of computing’s most influential names gets into the business of offering bug bounties, many are once again wondering what role these prizes play in protecting end users.
Microsoft’s window for researchers
Microsoft’s announcement that it will offer three separate bug bounty programs, one of which will pay out as much as $100,000 for certain vulnerabilities, came as welcome news to many in the software security community, Wired reported. In addition to that sum, researchers who offer a solution that fixes the vulnerability can make an additional $50,000. A program aimed specifically at the upcoming release of Internet Explorer 11 will pay researchers anywhere from $500 to more than $11,000 for vulnerabilities.
The company has long been criticized for benefiting from the free work of independent researchers uncovering vulnerabilities in its software, Wired noted. Microsoft has instead offered prizes to researchers who could devise defenses for specific attacks. Its decision to institute a white hat program came from the fact that many of the massive vulnerabilities that affect Microsoft software the most, such as mitigation bypasses, are ignored by most bug bounty programs or only get uncovered during annual contests with large prizes.
Do bug bounty programs work?
The large payout of the Microsoft program will help it compete against the black and gray markets, which have been compromising the effectiveness of bug bounties in recent years, InfoWorld’s Roger Grimes wrote. While many companies offer rewards for bugs, the sums tend to be smaller than what criminals could fetch on the black market. For criminals operating on a small scale, however, $100,000 or $150,000 would likely make the bounty a better deal. The potential is there, in other words, for a major improvement to security, but there are shortcomings.
“Bug bounty programs do increase the number of people who report bugs – and that’s a good thing,” Grimes wrote. “The biggest problem with bug bounty programs is that you never know which security bugs will ‘go big.’ Very few security bugs, no matter how severe, end up exploiting millions and millions of customers.”
The bugs that cause widespread havoc aren’t always the ones even security experts would expect, Grimes noted. In many cases, they often aren’t even new. While Microsoft does a timely and thorough job of patching its software, for instance, its products remain among the most exploited due to their widespread use and the fact that many users never install patches. While the measure of a bug bounty program’s success is theoretically that the number of successful attacks on software users goes down over time, the reality is that there are too many other factors outside of the vendor’s control.
“Even customers of a company with a good bug bounty program may suffer at the hands of one new bug that was not submitted through the program – or one that customers failed to patch in a timely manner,” Grimes wrote. “One bug can cause a whole lot of problems. A vendor can report that it closed more security holes than ever and still have more of its customers hacked than ever in the same year.”
Securing software before release
Since catching and patching bugs is not as failsafe as security pros might hope, one of the best things vendors can do is to build more safeguards into their development process. Tools such as static analysis software and code review interfaces can help companies eliminate errors prior to release. In fact, this approach is more or less the form Microsoft’s IE 11 bug bounty program has taken. Open for only 30 days during the software’s test period, the program hopes to preempt zero-day exploits.
“That’s really the best place to get the vulnerabilities [before the product goes to market], because you get it during the engineering phase of the product,” Microsoft security head Mike Reavey told Wired.
Such pre-release code review approaches can be one of the most valuable tools for vendors. However, bug bounty programs are also useful, particularly since they build a strong relationship with the security community, experts told Wired. As Microsoft’s program goes forward, it will likely be a point of focus for those considering the best software security techniques.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.