Microsoft's bug bounty backdown

Microsoft has deployed a bug bounty program in a reversal of its former position to refuse to pay security researchers for reporting vulnerabilities.

On Wednesday, the tech giant announced it would pay up to US$100,000 under its Mitigation Bypass Bounty for “truly novel” means of exploiting Window 8.1 preview software.

It would pay up to $11,000 for critical vulnerabilities in Internet Explorer 11 and Windows 8.1 preview software.

When quizzed by SC last year on why it would not deploy a bug bounty, Microsoft security boss Mike Reavey said it received reports for free and added that bug bounties were not a solid long term security strategy. .

“I don’t think that filing and rewarding point issues is a long-term strategy to protect customers," Reavy said at the time.

Redmond’s new BlueHat competition -- which paid up to $200,000 for exploit mitigation technologies -- was more effective, he said, and more appealing to those who consider security research an “intellectual pursuit”.

That program received a new cash injection along with the introduction of the bug bounty with up to US$50,000 offered for defensive tech.

The three new programs will launch Wednesday.

Black Hat general manager Trey Ford said the program showed an evolution in Microsoft's way of thinking.

“This has probably been in the works over the last three years,” Ford said. “The cost [of] patching and the value of getting this information earlier from researchers has to be massive.”

It allowed a “more constructive conversation with the research community” rather than accepting vulnerabilities for free.

Back in 2009, Microsoft's refusal to pay for bugs spurred the No More Free Bugs campaign.

Microsoft's hand was forced because of the popularity and availablility of exploit trade markets acccording to Errata Security CEO Robert Graham.

He said that meant the company could no longer rely on free bugs to be reported.

“Instead of pimping your [vulnerability] for fame, you can now sell it to an interested party, such as Russian organised crime, Chinese spies, or the NSA cyber warriors,” Graham said.

“The right bug, to the right customer, at the right time, can be worth $1 million. Even crappy bugs can be worth $10,000. That means Microsoft can no longer count on people disclosing bugs to them – they have bid against the Russians, Chinese, and Americans."

With Darren Pauli.