Microsoft forked out $13.7m in bug bounties. The reward program's architect thinks the money could be better spent

'A secure dev lifecycle has a much higher ROI than letting the public do the bug detection work for you'

20 Reg comments Got Tips?

Microsoft's bug bounty program has exploded in terms of scope and payouts.

The Windows giant said on Tuesday that over the twelve months to June 30, 2020, it has paid out $13.7m for reports of vulnerabilities in its products, more than treble the year-ago total of $4.4m

The coronavirus pandemic played a part in the bug-report explosion, said Microsoft, as flaw finders forced to stay indoors – or perhaps laid off and looking for a payday – hammered away at Redmond's code. The rest was down to the IT titan increasing the number of programs and pathways to reporting programming blunders for money.

"This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across 6 continents," noted Microsoft Bug Bounty lead Jarek Stanley.

"In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic."


Tencent floats bug bounties for its cloudy Linux and IoT OSes


This vulnerability gold rush might explain why, as of late, Microsoft's monthly batch of security patches have addressed more than 100 CVE-listed bugs at a time.

While the payouts are a nice figure for Microsoft to throw out there when talking up its bug bounty program, they may not be an indicator of healthy long-term security priorities.

Katie Moussouris, once the architect of Redmond's bug-bounty program and now the CEO of Luta Security, fears there's a growing over-emphasis on external bug rewards – rewards for outside experts finding holes in software after it is released to the public – as opposed to investment in staff and resources to limit the release of buggy code in the first place.

That, at some point in the future, more and more folks with the right skills might just wait for applications or system software to be released, find bugs in that production code, and report them for six-figure payouts rather than stop the flaws from seeing the light of day in the first place. And that other companies will follow in Microsoft's steps.

"While I love the expansion of what is in scope for the Microsoft Bug bounty programs, I’m concerned that the dollar amounts are creeping into perverse incentive territory," Moussouris told The Register. "Most security programs can find many more efficient uses for $14m in vulnerability prevention and detection in-house.

I’m worried there’s a trend to skip important internal security investments, and the inevitable cannibalization of the hiring pipeline, when bounty prices exceed what in-house salaries are for prevention of bugs

"I’m worried there’s a trend to skip important internal security investments, and the inevitable cannibalization of the hiring pipeline, when bounty prices exceed what in-house salaries are for prevention of bugs."

The venerable Ms. Mo, who in addition to Microsoft also helped set up the bug bounty program for the US Department of Defense, has in recent years become less of an advocate for bug pay-offs and more for dedicated security departments that can triage and patch the bugs.

"Microsoft definitely invests internally in security, but the trend towards setting certain bug bounties at $250,000 or even over a million as Apple has done, risks tempting internal security folks to leave their jobs, and will make recruiting new talent harder, especially if they can stay independent and make more money," said Moussouris.

"What companies should do before ever considering even a small bug bounty is assess their internal capabilities for preventing, finding, and fixing security bugs. Internal investments in hiring more skilled security people in-house, using better tools, and mandating a secure development lifecycle has a much higher return-on-investment than letting the public do the bug detection work for you after." ®


Keep Reading

No backdoors needed: Apple ditched plans to fully encrypt iCloud backups after heavy pressure from FBI – claim

Convenient timing for this story to emerge

Ubiquiti, go write on the board 100 times, 'I must validate input data before using it'... Update silently breaks IDS/IPS

Bad traffic rules from HQ caused intrusion detection and prevention on gateways to just stop working

Apple calls BS on FBI, AG: We're totally not dragging our feet in murder probe iPhone decryption. PS: No backdoors

Analysis This isn't the way to make the Cook(ie) crumble

Leaked benchmarks from developer kit for Apple's home-baked silicon appear to give Microsoft a run for its money

Before you get too excited 1) They're benchmarks 2) New consumer Arm-based Macs might use something else

Microsoft sides with Epic over Apple developer ban, supports motion for temporary restraining order

'Apple’s discontinuation of Epic’s ability to develop and support Unreal Engine for iOS or macOS will harm game creators and gamers,' says Microsoft

Microsoft blocked TSO Host's email IPs from Hotmail, Outlook inboxes and no one seems to care

Apart from the poor sods paying for the service, that is

Your 2.3m Instagram fans won't stop the FBI... Web star accused of plotting to launder millions from cyber-crime

Bloke calling himself Hushpuppi extradited, allegedly conspired to steal $100m from English Premier League soccer club among others

Russian FaceApp selfie-slurper poses 'potential counterintelligence threat', FBI warns

Feds tell senator that age-filter toy a possible security risk

Biting the hand that feeds IT © 1998–2020