Last week, Microsoft announced it’s offering a bug bounty program. Find a working exploit in Windows 8.1/blue/whatever it’s called this week, and Microsoft will hand over $100,000. Find a mitigation for that exploit, and Microsoft will pony up for that to, up to $50,000.
I think I know what they’re up to.
One security podcaster I listen to speculated that Microsoft may find themselves with a $15 million liability on their hands. I doubt it. By the same podcaster’s estimates, Microsoft fixes 1-2 remote code execution exploits per month. Oracle fixed 37 of them in the last Java update (only three of the fixes in the last rollup didn’t involve remote code execution–which makes me wonder if they could do worse if they tried).
This program isn’t going to turn Windows 8.1 into Java. Maybe it doubles the number of serious hotfixes every month for a while, but that wouldn’t be a bad thing–it would mean the worst bugs are getting found and fixed faster. I’ll actually be surprised if Microsoft pays out more than a couple of million bucks per year on this program, on average.
And Microsoft has a serious problem on their hands. People aren’t buying Windows 8. This bug bounty means they can tell corporations that they plan to spend whatever it takes in 2014 to make Windows 8.1 the most secure operating system they’ve ever made, and they’ll spend exactly zero on Windows XP after April. That will carry some weight, though exactly how much is unclear. It’s one of the few things they haven’t tried, short of giving it away, and they’re not going to do that as long as Steve Ballmer is running the place.
So it’s not a terribly expensive fix. And even if this program did cost Microsoft $15 million a year, that’s still not a lot of money to a company that makes $18 billion in a good quarter, and isn’t shy about spending $11 billion on advertising.
So while I don’t expect this program to fix everything, I can’t see any way that it makes things worse. It’s a good PR move.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.