Microsoft has set aside its policy of not paying for vulnerabilities and now has started several new programs to pay researchers for their findings. See Microsoft enters bug bounty fray for first time. Researchers can earn up to $100,000 for “truly novel exploitation techniques” against protections built into the latest version of the Windows 8 operating system (the Windows 8.1 Preview at program launch).
There are also monetary rewards for finding issues in the newest IE (IE11) or finding solutions against mitigation bypass. Microsoft hopes to bolster its relationship with the cyber security research community and to fill gaps it perceives “in the current marketplace and enhance our relationships within this invaluable community, all while making our products more secure for our customers.”
While there is a lot of debate about the impacts of formulating a bounty program like the above, one thing certainly stands out. Incentives for finding or preventing issues can only benefit Microsoft and the cyber security community in the long run. My opinion is that the incentives will probably foster cyber security research as well as garner the attention of individuals with cyber security interests to put their talents to use for positive outcomes rather nefarious pursuits. On top of that real security issues will be identified and hopefully fixed or mitigated.
My opinion is of course tempered with the realization that even people who we trust to do the right things, may not be. The recent Edward Snowden case has brought the threats of cyber-espionage, cyber-war and a cyber Cold-War to the forefront of international news again. No matter whose side you take in this case it is clear that privacy and security are in conflict. When should privacy rights prevail over security interests and who should make those decisions?
In addition, I have always been sensitive to the cultural challenges present in the cyber security community. I come from a military background where one of the first tenants in security is to compartmentalize. This means that usually the right hand does not know what the left hand is doing with the exception of a few individuals with the need to know. On the other side of the coin we would like to make everyone knowledgeable about cyber security and have them take an active role in protecting their own sensitive data. The best way to understand and prevent exploitation is to know the threats and take the appropriate actions. However, most people would rather not talk publicly about or share the detailed information about the real attacks they have either negatively or successfully faced. This is the dilemma. The train of thought for a company is “If we talk about the security issues we have in our company or product, are we helping prevent attacks or are we just fostering more attacks?
Certainly, there are copycats or even “script kiddies” who would take advantage of a known security issue and who will try to repeat it in another environment. For example, one only needs to looks at the way attackers use a library of fixes for security issues to attack unpatched systems. As in the above debate on privacy versus security the question of transparency becomes paramount. The problems are deciding when to disclose things, who to disclose them to and how much detail to provide. The decisions on this are all usually determined by entity under cyber-attack, but it is not always so. In addition, it is not just individuals or companies who have this problem; at the country level the same issues are prevalent. Consider what is happening with the Edward Snowden case. These issues like many others relevant to cyber security are more of a people / human problem than a technical one and will require lots of debate and discussion before they are adequately addressed.