The program he runs is a win-win for the security research community and Microsoft customers. So much so that it encourages and rewards security researchers for unearthing vulnerabilities in Microsoft’s products and protecting the broader technology ecosystem that impacts people’s lives. Meet Jarek Stanley, Senior Program Manager who leads Microsoft’s Bug Bounty Program as a part of the Microsoft Security Response Center.
We caught up with Stanley on the sidelines of Nullcon Goa 2019, to understand how the program has evolved and the role the research community in India plays in making Microsoft products more secure.
What is Microsoft’s Bug Bounty Program? How does it work?
The Microsoft Bug Bounty Program encourages and rewards security researchers who find and report security vulnerabilities in Microsoft products and services. We strongly believe that close partnerships like this with the global research community help make our customers, and the broader ecosystem, more secure.
Individuals from across the globe, be they full time cyber security professionals, part-time hobbyists, or students, are invited to find and report to Microsoft software security vulnerabilities in specific Microsoft products and services, like Microsoft Windows, Office 365, or Microsoft Azure cloud services. We welcome and review every submission, and for qualified submissions offer awards from USD500 to as much as USD250,000. If a submission isn’t eligible for bounty but still helps us fix or improve our product, we also offer public recognition and thanks on our website.
Submissions through our bounty program are addressed through the principle of Coordinated Vulnerability Disclosure (CVD), where we ask the security research community to give us an opportunity to correct a vulnerability and confirm the remediation before publicly identifying or disclosing it, the same way that we do ourselves when we discover vulnerabilities in other vendors’ products. This serves everyone’s best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities, but are not exposed to malicious attacks while the update is being developed. After customers are protected, public discussion of the vulnerability helps the industry at large improve its products.
Why does a company like Microsoft, which invests heavily in security, need such a program?
It is our job to build the best possible software that we can, and to protect it continuously to the very best of our ability. Our bug bounty program is just one of the many ways we do this. We have more than 3,500 security professionals dedicated to keeping our products and customers secure, including dedicated red and blue teams that constantly assess the security of our products. We are committed to the Security Development Lifecycle (SDL), where we engage and advance industry standards to address security vulnerabilities before our products launch, and we run a world-class cloud-powered malware defense, intelligence, and response operation. At the end of the day, no software is perfect, and Microsoft is committed to working in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact people’s lives
Why should security researchers work with Microsoft to report vulnerabilities in its products and services?
Our customers’ security is important to us. We ask that if you find a vulnerability in our products, services, or devices that you report it to us privately and work with us until an update is released. We are committed to work on each report diligently and to address it in a reasonable time period, and in recognition of the partnership we offer bounty awards and will acknowledge your contributions publicly once the fix is available. Security vulnerability research can be a great way for students and professionals to learn about new technologies or hone their software security skills. Public recognition for helping Microsoft find and fix vulnerabilities can also be helpful in building a strong reputation as a software security professional.
Can you tell us about the contribution of security researchers from India and the impact they’ve had to make Microsoft products more secure?
There is an incredible amount of talent and creativity in the security research community in India, and that shows in the impact they’ve had as a part of the bounty program. In 2018 we awarded more than USD90,000 in bounty to India-based researchers. Four India-based researchers earned recognition as part of our list of the top 100 security researchers who have contributed research to the Microsoft products and services in 2018.
How has Microsoft’s Bug Bounty Program evolved over the years, especially with the advent of cloud and AI?
We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers. For example, over the past few years we’ve expanded the scope of our bounty program to include more Azure cloud products and services, offering greater security for our customers and more bounty opportunities for researchers. This year we launched a new bounty for Azure DevOps, with rewards up to USD20,000, and increased rewards in the Windows bounty program up to USD50,000.
Finally, can you share any tips for security researchers that can help make the biggest impact for their bounty submissions?
There are two simple things than can help improve the impact, and the possible bounty reward, for security vulnerability submissions. The first is to focus vulnerability research on the products and services that are eligible for bounty rewards. Many products and services are eligible, but not all, and we provided full details for researchers our public website. The eligible scope changes over time, usually expanding these past years, so check back regularly for new potential areas to research. The second is to provide clear, concise information about how our engineering teams can reproduce the vulnerability for themselves including version or configuration information where appropriate. Clear, detailed, well written instructions, or even short videos can more than double the possible award amount for bounty eligible properties.