Lockdown resulted in surge in reports, says software giant

UPDATED Microsoft has awarded $13.7 million in bug bounties over the last year, more than three times the $4.4 million earned by security researchers over the preceding 12-month period.

A year-in-review report from Microsoft, published on Tuesday (August 4), reveals that the spoils from the discovery of vulnerabilities in the company’s technology were split between 327 researchers.

Redmond said that over the last 12 months it had launched six new bug bounty programs that attracted more than 1,000 eligible reports. Microsoft is running a total of 15 eligible programs.


RECOMMENDED Black Hat USA: Your guide to the top web hacking sessions in 2020


New bug bounty programs include the Azure Security Lab, Microsoft Edge on Chromium Bounty Program, and the Election Guard Bounty Program. On the consumer front, Microsoft also launched an Xbox Bounty Program.

The enterprise software firm also launched two new research grants, including an Identity Research Grant. With an eye to the future, Microsoft is also bolstering its research efforts into machine learning and artificial intelligence.

Covid-19 catalyst

With much of the world forced into lockdown in response to the coronavirus pandemic, researchers have upped the ante in their hunt for bugs in Microsoft’s technology.

“Covid-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic,” a blog post by Microsoft explains.

Katie Moussouris, the security researcher who established Microsoft’s bug bounty program back in 2013 before founding Luta Security, expressed reservations about the extent to which higher bug bounty payouts will improve security at Microsoft and elsewhere.

Studies like NISTs from ancient times show that bugs cost 30x more to fix after release than in the design phase. Microsoft invests a lot on secure development, bug prevention, and internal bug discovery," Moussouris told The Daily Swig. "For them, risk is bounty prices creeping up interfering w hiring or retention

Moussouris added that she worried about "perverse incentives creeping into bounties as prices soar".

"For many others, bug bounties have been trending toward a dangerous and inefficient resource shift away from investments in secure development and internal bug discovery to scrambling to fix bug bounty submissions that could have and should have been prevented or detected in-house," she said.

"Bug bounty companies do not ease this burden," Moussouris concluded.


This story was updated on August 6 to add comments from Katie Moussouris


READ MORE Bug Bounty Radar // July 2020