Microsoft is expanding the list of security experts who can earn cash payouts for submitting novel ways to bypass the built-in security restrictions in Windows.
Incident responders and forensics experts who pre-register with the software maker and sign a required non-disclosure agreement now qualify to submit novel mitigation bypass techniques that they develop or encounter in the wild. The most novel submissions must include a technical write-up and proof-of-concept code, Microsoft said. Once reviewed, submissions could earn up to $100,000 from the software maker.
"Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows," wrote Katie Moussouris, senior security strategist at Microsoft's Security Response Center, in a blog post about the program extension. "The stronger the shield, the less likely any individual bug or arrow can get through."
Moussouris said bypass submissions are more helpful to Microsoft engineers than vulnerability submissions because measures can be put in place to block new bypass techniques. The security restrictions block entire classes of attacks as opposed to a single software vulnerability, she said.
Several security expert consultants associated with managed security services providers told CRN that the changes are welcome and could help Microsoft gain insight into hackers' bypass techniques so they can be addressed at a faster clip. While digital forensics teams responsibly disclose vulnerabilities uncovered in the course of their work, they won't typically have time to immediately submit novel hacking techniques until they are done engaging with a client, they told CRN.
In June, Microsoft unveiled its bug bounty program, abruptly reversing course on earlier statements in opposition to the effectiveness of software bug bounty programs. In addition to mitigation bypass techniques, the company said it would pay out to researchers who found flaws in the newest version of Internet Explorer 11 preview running on Windows 8.1. During the length of the program, the company said it received several vulnerabilities that qualified for a bounty.
The program has issued more than $128,000 to security researchers. Last month, Microsoft issued its first $100,000 reward to James Forshaw, a security researcher at London-based penetration testing and security training firm Context Information Security. Details of the new mitigation bypass technique are being withheld until Microsoft addresses it. Additionally, Forshaw received about $9,000 for an IE 11 flaw that he detected.
NEXT: Hackers Find New Ways To Bypass Mitigations
Security experts say that maturing software security processes have forced hackers to find ways to bypass mitigations employed by software makers. Microsoft's data execution prevention (DEP) and address space layout randomization (ASLR) are being more widely deployed, making code execution more difficult.
Google's bug bounty program pays out between $500 and $3,133.70 for critical bugs researchers find in its Chrome browser and Web applications. In October, Google extended its bug payout program to some open-source projects. The company is initially limiting it to critical components in the Linux kernel, high-impact libraries such as OpenSSL and core infrastructure network services and image parsers. Researchers find flaws and submit the find along with a fix to the maintainers of the project, as well as work with them to have it accepted into the repository and incorporated into a shipping version of the program, Google said.
Mozilla, Yahoo, Facebook and PayPal also run flaw reward programs. Apple does not have a formal program to reward researchers for finding flaws.
PUBLISHED NOV. 5, 2013