Akamai Diversity

The Akamai Blog

Bug Bounty Programs A Turning Point For Microsoft

Here in Akamai's InfoSec department, we constantly remind employees and customers to keep up on all the latest security patchesin their environment. Since Windows is everywhere in the business world, it's particularly important to keep an eye on Microsoft's patching efforts.

This week, the software giant made a big move in the name of vulnerability management, unleashing bug bounty programs that will likely lead to many more security patches in the future. Katie Moussouris, a senior security strategist with Microsoft, announced the initiative in a Microsoft blog post and on the podcast of Akamai InfoSec strategist Martin McKeay. She wrote in the blog post:

Today is an inflection point for Microsoft, as well as the security industry. For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community.

Full details for the new bounty programs and a fantastic technical deep-dive by our esteemed panel of judges (headed by Matt Miller and David Ross) can be found on SRD's blog.

In short, we are offering cash payouts for the following programs:

  • Mitigation Bypass Bounty - Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.
  • BlueHat Bonus for Defense - Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.
  • IE11 Preview Bug Bounty - Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.
As Martin noted in his podcast, that's a lot of money for those who rise to the challenge. 
I congratulate Katie and her colleagues for making this happen. It's a big turning point for the software giant. I remember covering flaws, malware and patches impacting Microsoft a decade ago. Back then, the folks in Redmond balked whenever a researcher took the liberty of taking new flaw findings public. Now Microsoft is encouraging people to take their best shots and find breaks in the armor. That means more vulnerabilities will be discovered and fixed, and we'll all be more secure as a result.
Below: A group photo of those who worked on the bug bounty programs.

L-R: David Seidman, Gerardo di Giacomo, Mark Oram (via avatar), Mike Reavey, Dustin Childs, Leah Lease, Rob Chapman, Neil Sikka, Jacqueline Lodwig, Brandon Caldwell, Katie Moussouris, Nate Jones, Sweety Chauhan, Emily Anderson, Claudette Hatcher, Cynthia Sandwick, Stephen Finnegan, Manuel Caballero, Ben Richeson, Elias Bachaalany, David Ross, Cristian Craioveanu, Ken Johnson, Mario Heiderich, Jonathan Ness. Not pictured: Christine Aguirre, Danielle Alyias, Michal Chmielewski, Chengyun Chu, Jules Cohen, Bruce Dang, Jessica Dash, Richard van Eeden, Michelle Gayral, Cristin Goodwin, Angela Gunn, Joe Gura, Dean Hachamovitch, Chris Hale, Kyle Henderson, Forbes Higman, Andrew Howard, Kostya Kortchinsky, Jane Liles, Matt Miller, William Peteroy, Georgeo Pulikkathara, Rob Roberts, Matt Thomlinson, David Wheeler, Chris Williams. Behind the camera: Jerry Bryant.