In June 2013, Microsoft announced its first-ever bug bounty program, and it was a doozie: $100,000 for each new, unique mitigation bypass technique, and up to an additional $50,000 if the submitted exploitation is accompanied by ideas for defending against the new attack. The largest bounty has already been claimed by one researcher, but until now this opportunity was really only open to someone with plenty of time to come up with a bypass – something that can take months.
But now Microsoft has upped the ante by opening up the bounty program so that anyone can submit an exploit – regardless of who originally created it. This makes it a ‘dead or alive’ program that encourages incident responders, or anyone else who comes across something in the wild, to be the first to grab it and claim the prize. The original creator of a bypass not only has to make sure it evades detection by security technology; he has to protect it from his own confederates, or anyone else who knows about it and thinks $100,000 is pretty nifty.
This also potentially disrupts the black market further, because anyone who was on the fence about selling their exploits to the bad guys or the good guys no longer has the luxury of mulling it over. If the writer doesn’t act, someone else will. And even if it is sold to a black market dealer, as soon as it’s detected elsewhere, the finder can still go submit it and earn the bounty. (This presents the intriguing idea of arbitrage – buying at one price and selling at another – but we’ll leave that for another day.)
Now, the submission still requires a working proof of concept on Windows 8.1 (or whatever the latest version is going forward), along with a technical white paper, so it’s not entirely free of effort. But anyone can take a newly detected, unique bypass and figure out how to update it, even if they didn’t write the original.
This move by Microsoft presents economic disruption in the exploit market, but that’s not all. It’s also a step toward reversing the inherent asymmetry between attackers and defenders. Attackers usually can work together, and only have to find one way to compromise a defender’s systems; this bounty program turns the attackers against one another. And as is the case with large enough networks of intelligence sharing, an attacker only has to slip up once, somewhere, to lose that advantage everywhere.
Now that’s social engineering we can all get behind.