Exploring Bug Bounties With Microsoft’s Bug Bounty Challenge

Exploring Bug Bounties With Microsoft's Bug Bounty Challenge

Recently, at the Black Hat 2019 conference, technology giant and cybersecurity provider Microsoft made two startling announcements: 

  1. Over the past year, Microsoft paid hackers a grand total of $4.4 million. 
  2. They issued an outright challenge to hackers who feel confident and aggressive to attack them. 

While both announcements appear shocking, in context Microsoft’s action actually make complete sense. The key is to filter their actions and statements through the filter of a bug bounty program. 

What is a bug bounty program? How does Microsoft’s actions compare to other bug bounty programs? Should your enterprise implement a bug bounty program?

What is a Bug Bounty Program? 

First, we need to define bug bounties for the uninitiated.

A bug bounty program refers to a deal offered by enterprises to individuals who discover bugs on their networks. By definition, “bugs” can include anything from security holes to exploits and other digital vulnerabilities. Usually, enterprises use their bug bounty programs to discover and close vulnerabilities before they become public knowledge. 

Generally, bug bounties tend to offer money for the discovery of security. In fact, some companies have run into trouble as a result of trying to avoid paying its bug discoverers. Famously, Yahoo tried to pay its white-hat hackers with t-shirts.           

However, this leads to another question enterprises need to understand…. 

Who Participates in Bug Bounty Programs?  

Many people conflate hackers with all digital threat actors. Indeed, the editors of Solutions Review also tend to fuel this discourse. However, that doesn’t quite bear out in reality. 

The term “hacker” simply refers to any individual who breaks into computer systems and software. This can include white-hat hackers—which include security researchers looking for bugs—and threat actors. Ultimately, the intention and actions of the hacker determine which identity they possess. If the actor comes to your enterprise with news of a bug and didn’t exploit it, they qualify as a white-hat hacker. 

For years, white-hat hackers received rather unfair treatment; some enterprises and institutions threatened them with legal recourse. Yet white-hat hackers only seek to help enterprises stay strong. Bug bounty programs don’t invite malicious hackers any more than any other vulnerability; in fact, you could say hackers would try to attack regardless.

With both of these facts in mind, we come across another question: how should your enterprise handle its’ own bug bounty program? 

How to Run A Program of Your Own

To establish your enterprise’s own bug bounty program, follow these steps: 

  • Establish your goals. Are you looking for general protection or is there something, in particular, you want protection for like a continuous code. 
  • Allocate the necessary funds and resources to establishing your bug bounty.
  • Define your bounty in clear, unambiguous terms. Indeed, you need to establish what exactly qualifies a vulnerability that warrants a payment to avoid any complaints. Additionally, you need to establish the procedure for documenting and reporting any discovered bugs.
  • Through endpoint security capabilities, ensure visibility throughout your network. 
  • Finally, have a plan to review and remediate discovered bugs. You need the flexibility to respond quickly when you receive a threat report; if you receive word of a threat and don’t respond promptly, that can actually backfire on your reputation. 
  • Also, you need to be ready to pay your white-hat hackers.              

Furthermore, you need to make sure your enterprise understand the bug bounty program and can work with it.  

Of course, this leads to perhaps the most prickly question of all: 

How Much Should You Pay? 

When Microsoft announced its bug bounty program, they declared the top prize for an Azure bug discovery as $40,000. Contextually, $40,000 constitutes a year’s salary for many employees. 

Now, Microsoft bears the distinction of being one of the largest companies in the world. Additionally, Microsoft expressed extreme confidence in the strength of its digital perimeter (usually not an advisable attitude in cybersecurity). 

In short, your enterprise doesn’t need to offer quite that much for its own program. What matters here is that the severity of each threat discovered should determine the payout. A vulnerability with low risk should pay less than a critical vulnerability. 

From there, your program payout should depend on the size of your business. An SMB can get away with a $150 payout for a low severity security hole. Meanwhile, a global enterprise may have to pay up to $1,000 for a similar threat. 

However, for the most critical threats, SMBs should consider paying anywhere around $2,000, where a global business may need to pay out around $10,000. While still lower than the Microsoft payout, that amount still proves intimidating. Yet the monetary damage of a breach usually trumps that amount.    

Regardless, you want to encourage white-hat hackers to examine your business critically and form a positive relationship with you. Additionally, a good payout can encourage a less scrupulous hacker to take the payout rather than sell the info on the Dark Web.     

Do You Need a Bug Bounty Program?

According to the FBI, over 4,000 ransomware attacks occur daily. Moreover, 230,000 new malware samples are produced every day. That doesn’t even cover threats like cryptojacking and fileless malware, both of which exploit new kinds of security vulnerabilities. The number of threats your enterprise faces only increases. Also, hackers continually work to make their cyber attacks more effective at penetrating. 

Eventually, no matter the strength of your digital perimeter, something can and will break through the perimeter. However, with a bug bounty program, your enterprise can close security vulnerabilities before hackers find them. 

In other words, you can embrace strategies which only strengthen your perimeter. Of course, your enterprise can also improve its visibility and its endpoint protection through a next-generation solution. 

Obviously, pairing endpoint security and a bug bounty program fortifies your enterprise as much as possible. In cybersecurity, you always pick the choice which makes your business stronger.   

To help you determine your use case, we offer our 2019 Endpoint Security Buyer’s Guide. In it, we cover the top solution providers and their key capabilities. Also, we provide a Bottom Line analysis for each vendor. Our guide can help you determine your business use case and help you find the right fit.

Follow me

Ben Canner

Editor, Cybersecurity at Solutions Review
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner
Follow me