Tech firms large and small are adding their names to the growing roster of companies that use cash rewards to crowd source some of their security operations.
Microsoft announced an open bug-bounty program for its Web services on Tuesday to “reward and recognize security researchers,” said Travis Rhodes, the senior security lead on Office 365, in a blog post. The payout for qualifying bugs starts at $500 and covers Microsoft’s cloud services starting with Office 365. Other Microsoft online services may be included in the future.
Bug bounties have been around for at least a decade, but tech firms have begun using them in earnest over the past five years. The programs reward security researchers for disclosing bugs to companies and benefit companies by keeping damaging bugs off the black market for vulnerabilities. Bug Crowd maintains a list of active bug bounties on offer from more than 300 companies, with rewards varying from cash to company swag to a bug bounty hall of fame.
Google, which was initially criticized by several well-known security researchers in 2010 when it opened its first bug bounty, has since gained a reputation for handsomely rewarding its bug bounty participants.
Yahoo stumbled last year with its bug bounty when it was caught offering a choice between $12.50 in Yahoo store credit or a Yahoo T-shirt in exchange for a new bug. The company changed its policy following an outcry by the independent research community, and now offers between $150 and $15,000 for new bugs.
The bounty program, called the Online Services Bug Bounty, is not Microsoft’s first. A Mitigation Bypass Bounty rewards researchers who successfully determine new vulnerability scenarios for evading security techniques. Mitigation bypasses often create a path past a security system by using several vulnerabilities. Microsoft also offers a reward of up to $50,000 for research papers that detail new techniques to block mitigation bypasses.
Meanwhile, mobile security firm Silent Circle is now offering a bug bounty for the Blackphone, its privacy-focused Androids martphone. Rewards start at $128 and have no upper limit. Rewards will be paid for bugs found not just with PrivatOS, the version of Google’s Android operating system that powers the Blackphone, and its integrated apps, but also for the Blackphone’s associated Web portals and update servers.
Dan Ford, chief security officer of Blackphone, told security blog Threatpost that Blackphone needed a bug bounty program because the ambitious claims his company makes about the phone’s security have turned it into a target for hackers.
“We have a big target on our chest,” he said. “We want to continue being the most secure, private Android device manufacturer out there, and a lot of people think it can’t be done.”