Bug Bounties

Bug bounty schemes have always been controversial. In the early days of the Internet someone who found a bug in software was expected to inform the author and help fix it, as a matter of social responsibility. Suggesting that those researching vulnerabilities be paid for their time and effort seemed rather grubby. Unfortunately not everyone shared those scruples. Taking valuable information out of companies, building botnets and spam networks are all a lot easier if you know about software vulnerabilities that others don’t, so once criminals had worked out how to make money out of those activities it made economic sense for them to pay, or even employ, researchers to find bugs. It took a bit longer to work out an economic model that paid vulnerability researchers to remove problems, but eventually commercial vulnerability brokers appeared who paid researchers for information and then provided it, on a commercial basis, to companies supplying protection systems for networks and computers.

Both those existing markets are mostly concerned with vulnerabilities in production software. If you are a criminal then you want exploits that will give you control of lots of Internet-connected systems. If you are trying to sell a protection product, then protecting against vulnerabilities that aren’t yet in your clients’ systems isn’t a great sales pitch. Instead of adding to these markets, Microsoft’s new bug bounty programme looks earlier in the software life cycle: before programs are released as products. Microsoft already makes code available in pre-release (known as 'beta') condition, but apparently neither criminals nor brokers will pay much for vulnerabilities discovered at this stage because there is a reasonable probability that they will be discovered and fixed (or the vulnerable code removed for other reasons) before the product is released. If researchers find a vulnerability in pre-release software, the only way to get paid is to wait and hope that it is not discovered before it acquires a market value.

By offering a bounty for vulnerabilities in beta code, Microsoft are therefore creating a new opportunity for researchers who want to do the right thing and have a financial reward for their time and effort. In return, Microsoft add another tool to their software process: like code review and penetration tests, vulnerability researchers bring independent eyes that may spot bugs that developers, who know how the code is supposed to work, may not. It strikes me that fixing bugs in beta code is also very effective for the “good of the Internet” motive we started out with. Once vulnerable code is installed on customer computers many, perhaps most, will never be fixed. If computers or their operators do not regularly install patches as they become available then the bug will persist, and may be exploitable, for ever, or at least until the computer hardware fails. Discovering bugs at beta stage, when all the vulnerable code is still firmly in the vendor’s control, means none of us need to worry about their impact on the Internet or the systems we connect to it.

Wired have an article comparing vulnerability bounty programs.