Interview Microsoft’s bug bounty program celebrated its tenth birthday this year, and has paid out $63 million to security researchers in that first decade – with $60 million awarded to bug hunters in the past five years alone, according to Redmond.
While these days, the vulnerability disclosure and reward program seems like a no-brainer for a huge software concern, ten years ago “the bug bounty initiative was not free from internal resistance,” recalled Aanchal Gupta, Microsoft corporate VP and deputy CISO.
From chaos to cadence: Celebrating two decades of Microsoft’s Patch Tuesday
In a write-up this week commemorating the program’s first decade, Gupta recounts how it started with reports of vulnerabilities in a preview of Internet Explorer 11 and exploitation of holes in Windows 8.1. Back in 2013, the reward for flaws found in IE in preview was especially novel, she added.
“Although not pioneers in offering monetary incentives for external parties to report software security vulnerabilities, we were among the first to incentivize the discovery of issues in beta or preview products,” Gupta wrote. “Our belief was that early identification and resolution of bugs, preferably before the product’s general release, is paramount in customer protection.”
Gupta also highlighted the bug bounty initiative’s explosive growth, especially since 2018. In fiscal year 2019, for example, Microsoft “more than doubled the number of bounty reports, program participants, and awards compared to the previous year,” she wrote. A year later, it awarded more than $13 million to more than 300 security researchers across 15 categories, and also awarded larger prizes for more serious issues.
“In July 2020, we introduced scenario-based categories with higher awards, up to $100,000 for vulnerabilities posing serious risks to customer privacy and security,” Gupta recounted. “Researchers rallied, increasing the number of zero-click Remote Code Execution (RCE) or cross-tenant vulnerabilities found by more than 50 percent year-over-year.”
Additionally, she credited Katie Moussouris, who played a key role in convincing Redmond’s top brass that Microsoft needed a bug bounty program – despite execs vowing never to pay researchers for bugs.
Moussouris, who founded her own company Luta Security in 2016, also commemorated the program’s birthday with a reminiscence – detailing the years of blood, sweat, and data she spent championing bug bounties to Microsoft’s leadership.
“At the time, it would have been a hard sell for anyone,” Moussouris told The Register. Netscape announced its early bug bounty in 1995 with a $500 reward, and then 15 years later Google offered $1,337 per vulnerability in 2015. “Nobody else wanted to do this,” Moussouris explained.
How to sell a new idea to an old company
Moussouris detailed the years’ worth of data points she collected to prove the business case for bug bounties, as well as the ISO standards on vulnerability disclosure and code handling processes that she co-authored and co-edited in the meantime.
But ultimately, the tipping point for Microsoft came down to wanting to beat a young company called Google, which had its own browser that was challenging Internet Explorer’s market dominance. “It was the growing competition presented by Google Chrome, that old product competition fire, that got us over the finish line,” Moussouris told The Register.
Once Microsoft started a bug bounty program, the Pentagon took note. That led to the first-ever US military bug bounty event.
“When Hack the Pentagon happened in 2016, that again, was another seminal event where not only was the biggest military the world had ever seen inviting hackers to test its systems, but it had this cascade effect of encouraging other governments – not just other government agencies in our own government, but other governments around the world – to start looking at these practices seriously,” Moussouris recalled proudly.
Is software more secure?
But have these types of vulnerability disclosure rewards made software more secure?
No, according to Moussouris. And she attributes this, ironically, to the rise of bug bounty platforms and developers investing in cash payouts and vulnerability disclosure programs instead of doing the real work of secure software development.
“Because both of those are investments – it’s not just about cash payments, it’s about the work you have to do to actually fix the vulnerabilities,” she explained.
“So it’s always been my philosophy that look, you’ve got to try and prevent as many bugs as you can, try and fix as many bugs as you can find yourself, and then you can open up to a vuln disclosure or bug bounty program.”
Feedback loops, and meaningful metrics
To make software and hardware products more secure, Moussouris wants to see a “concrete feedback loop,” with bug bounty learnings feeding back into organizations’ secure development life cycles.
Plus, those running the bounties should do a better job setting “meaningful metrics” by which to assess their programs’ success – rather than just how much cash did they pay out to how many researchers.
“There has to be things like: did we reduce or eliminate classes of vulnerabilities? That’s a metric that would show you are connecting the dots between the bug bounty program and your secure development lifecycle,” Moussouris explained.
Other metrics include: did mean time to repair decrease for the most critical flaws? If not, it’s a good idea to allocate more resources into that area, she added.
Moussoris concluded with a challenge: “Have we tuned our bug bounty programs to talk to our incident response and threat intelligence to monitor and react in real time to real attacks?
“Attacks are on the rise. That’s not going to change. How are you using your bug bounty program to shape your live incident response and make it more efficient?” ®