Last week, Microsoft announced it’s offering a bug bounty program. Find a working exploit in Windows 8.1/blue/whatever it’s called this week, and Microsoft will hand over $100,000. Find a mitigation for that exploit, and Microsoft will pony up for that to, up to $50,000.
I think I know what they’re up to.
One security podcaster I listen to speculated that Microsoft may find themselves with a $15 million liability on their hands. I doubt it. By the same podcaster’s estimates, Microsoft fixes 1-2 remote code execution exploits per month. Oracle fixed 37 of them in the last Java update (only three of the fixes in the last rollup didn’t involve remote code execution–which makes me wonder if they could do worse if they tried).
This program isn’t going to turn Windows 8.1 into Java. Maybe it doubles the number of serious hotfixes every month for a while, but that wouldn’t be a bad thing–it would mean the worst bugs are getting found and fixed faster. I’ll actually be surprised if Microsoft pays out more than a couple of million bucks per year on this program, on average.
And Microsoft has a serious problem on their hands. People aren’t buying Windows 8. This bug bounty means they can tell corporations that they plan to spend whatever it takes in 2014 to make Windows 8.1 the most secure operating system they’ve ever made, and they’ll spend exactly zero on Windows XP after April. That will carry some weight, though exactly how much is unclear. It’s one of the few things they haven’t tried, short of giving it away, and they’re not going to do that as long as Steve Ballmer is running the place.
So it’s not a terribly expensive fix. And even if this program did cost Microsoft $15 million a year, that’s still not a lot of money to a company that makes $18 billion in a good quarter, and isn’t shy about spending $11 billion on advertising.
So while I don’t expect this program to fix everything, I can’t see any way that it makes things worse. It’s a good PR move.