This article is more than 1 year old
Microsoft forked out $13.7m in bug bounties. The reward program's architect thinks the money could be better spent
'A secure dev lifecycle has a much higher ROI than letting the public do the bug detection work for you'
Microsoft's bug bounty program has exploded in terms of scope and payouts.
The Windows giant said on Tuesday that over the twelve months to June 30, 2020, it has paid out $13.7m for reports of vulnerabilities in its products, more than treble the year-ago total of $4.4m
The coronavirus pandemic played a part in the bug-report explosion, said Microsoft, as flaw finders forced to stay indoors – or perhaps laid off and looking for a payday – hammered away at Redmond's code. The rest was down to the IT titan increasing the number of programs and pathways to reporting programming blunders for money.
"This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across 6 continents," noted Microsoft Bug Bounty lead Jarek Stanley.
"In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic."
Tencent floats bug bounties for its cloudy Linux and IoT OSesREAD MORE
This vulnerability gold rush might explain why, as of late, Microsoft's monthly batch of security patches have addressed more than 100 CVE-listed bugs at a time.
While the payouts are a nice figure for Microsoft to throw out there when talking up its bug bounty program, they may not be an indicator of healthy long-term security priorities.
Katie Moussouris, once the architect of Redmond's bug-bounty program and now the CEO of Luta Security, fears there's a growing over-emphasis on external bug rewards – rewards for outside experts finding holes in software after it is released to the public – as opposed to investment in staff and resources to limit the release of buggy code in the first place.
That, at some point in the future, more and more folks with the right skills might just wait for applications or system software to be released, find bugs in that production code, and report them for six-figure payouts rather than stop the flaws from seeing the light of day in the first place. And that other companies will follow in Microsoft's steps.
"While I love the expansion of what is in scope for the Microsoft Bug bounty programs, I’m concerned that the dollar amounts are creeping into perverse incentive territory," Moussouris told The Register. "Most security programs can find many more efficient uses for $14m in vulnerability prevention and detection in-house.
I’m worried there’s a trend to skip important internal security investments, and the inevitable cannibalization of the hiring pipeline, when bounty prices exceed what in-house salaries are for prevention of bugs
"I’m worried there’s a trend to skip important internal security investments, and the inevitable cannibalization of the hiring pipeline, when bounty prices exceed what in-house salaries are for prevention of bugs."
The venerable Ms. Mo, who in addition to Microsoft also helped set up the bug bounty program for the US Department of Defense, has in recent years become less of an advocate for bug pay-offs and more for dedicated security departments that can triage and patch the bugs.
"Microsoft definitely invests internally in security, but the trend towards setting certain bug bounties at $250,000 or even over a million as Apple has done, risks tempting internal security folks to leave their jobs, and will make recruiting new talent harder, especially if they can stay independent and make more money," said Moussouris.
"What companies should do before ever considering even a small bug bounty is assess their internal capabilities for preventing, finding, and fixing security bugs. Internal investments in hiring more skilled security people in-house, using better tools, and mandating a secure development lifecycle has a much higher return-on-investment than letting the public do the bug detection work for you after." ®