Last Updated on March 25, 2025 by Dave Farquhar
Last week, Microsoft announced it’s offering a bug bounty program. Find a working exploit in Windows 8.1/blue/whatever it’s called this week, and Microsoft will hand over $100,000. Find a mitigation for that exploit, and Microsoft will pony up for that to, up to $50,000.
I think I know what they’re up to.
One security podcaster I listen to speculated that Microsoft may find themselves with a $15 million liability on their hands. I doubt it. By the same podcaster’s estimates, Microsoft fixes 1-2 remote code execution exploits per month. Oracle fixed 37 of them in the last Java update (only three of the fixes in the last rollup didn’t involve remote code execution–which makes me wonder if they could do worse if they tried).
This program isn’t going to turn Windows 8.1 into Java. Maybe it doubles the number of serious hotfixes every month for a while, but that wouldn’t be a bad thing–it would mean the worst bugs are getting found and fixed faster. I’ll actually be surprised if Microsoft pays out more than a couple of million bucks per year on this program, on average.
And Microsoft has a serious problem on their hands. People aren’t buying Windows 8. This bug bounty means they can tell corporations that they plan to spend whatever it takes in 2014 to make Windows 8.1 the most secure operating system they’ve ever made, and they’ll spend exactly zero on Windows XP after April. That will carry some weight, though exactly how much is unclear. It’s one of the few things they haven’t tried, short of giving it away, and they’re not going to do that as long as Steve Ballmer is running the place.
So it’s not a terribly expensive fix. And even if this program did cost Microsoft $15 million a year, that’s still not a lot of money to a company that makes $18 billion in a good quarter, and isn’t shy about spending $11 billion on advertising.
So while I don’t expect this program to fix everything, I can’t see any way that it makes things worse. It’s a good PR move.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.