Microsoft forked out $13.7m in bug bounties. The reward program’s architect thinks the money could be better spent

Microsoft’s bug bounty program has actually exploded in regards to scope and payouts.

The Windows giant said on Tuesday that over the twelve months to June 30, 2020, it has actually paid out $13.7 m for reports of vulnerabilities in its items, more than treble the year-ago overall of $4.4 m

The coronavirus pandemic played a part in the bug-report surge, stated Microsoft, as flaw finders required to remain indoors –– or possibly laid off and looking for a payday –– hammered away at Redmond’s code. The rest was down to the IT titan increasing the number of programs and pathways to reporting shows mistakes for cash.

“This year, we released six new bounty programs and two brand-new research study grants, bring in over 1,000 qualified reports from over 300 scientists throughout 6 continents,” noted Microsoft Bug Bounty lead Jarek Stanley.

“In addition to the new bounty programs, COVID-19 social distancing appears to have had an influence on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume throughout the very first numerous months of the pandemic.”

Tencent floats bug bounties for its cloudy Linux and IoT OSes

This vulnerability gold rush might explain why, as of late, Microsoft’s month-to-month batch of security patches has attended to more than 100 CVE-listed bugs at a time.

While the payments are a good figure for Microsoft to throw out there when talking up its bug bounty program, they might not be an indicator of healthy long-lasting security concerns.

Katie Moussouris, once the designer of Redmond’s bug-bounty program and now the CEO of Luta Security, fears there’s a growing over-emphasis on external bug rewards –– rewards for outdoors specialists finding holes in software application after it is released to the general public –– as opposed to investment in staff and resources to limit the release of buggy code in the very first location.

That, at some point in the future, a growing number of folks with the ideal abilities might simply wait on applications or system software application to be released, discover bugs because production code, and report them for six-figure payments instead of stopping the flaws from seeing the light of day in the first location. Which other business will follow in Microsoft’s steps?

“While I love the growth of what remains in scope for the Microsoft Bug bounty programs, I’m worried that the dollar quantities are creeping into perverse reward territory,” Moussouris informed The Register. “Most security programs can find a lot more effective uses for $14m in vulnerability avoidance and detection in-house.

I’m anxious there’s a trend to skip essential internal security investments, and the unavoidable cannibalization of the hiring pipeline, when bounty rates surpass what in-house incomes are for avoidance of bugs “I’m anxious there’s a pattern to avoid essential internal security financial investments, and the inescapable cannibalization of the employing pipeline when bounty prices exceed what internal wages are for avoidance of bugs.”

” The venerable Ms. Mo, who in addition to Microsoft also assisted set up the bug bounty program for the United States Department of Defense, has in current years end up being less of a supporter for bug pay-offs and more for dedicated security departments that can triage and spot the bugs.

“Microsoft absolutely invests internally in security, however, the trend towards setting specific bug bounties at $250,000 and even over a million as Apple has done, dangers tempting internal security folks to leave their jobs, and will make hiring new skill harder, especially if they can stay independent and make more cash,” said Moussouris.

“What companies must do before ever thinking about even a little bug bounty is assessing their internal capabilities for avoiding, finding, and repairing security bugs. Internal financial investments in working with more competent security people internal, utilizing much better tools, and mandating a protected development lifecycle have a much higher return-on-investment than letting the general public do the bug detection work for you after.”

Call Now ButtonCALL US Scroll to Top