* New program to pay reward up to $150,000
* Google, Facebook offer similar programs
* Underground market offers steep bounties
By Jim Finkle
BOSTON, June 19 Microsoft Corp is
looking to recruit computer geeks in its ongoing efforts to
protect Windows PCs from attacks, offering rewards of as much as
$150,000 to anybody who helps identify and fix major security
holes in its software.
Microsoft unveiled the rewards program, one of the most
generous in the high-tech industry to date, on Wednesday as it
sought ways to prevent sophisticated attackers from subverting
new security technologies it has introduced in the latest
versions of the Windows operating system.
The program is open to computer experts as young as 14,
though minors need permission from their parents. Residents of
countries under U.S. sanctions, such as Cuba, Iran, North Korea,
Sudan and Syria, are banned from the program.
The sheer size of the bonus is likely to grab the attention
of the hacking community, though claiming the big money will
require them to do battle with Microsoft's latest anti-hacking
technology and then detail their approach.
"It's pretty generous, though what they are asking for is a
pretty high bar," said Chris Wysopal, chief technology officer
of Veracode, a security firm that helps identify software bugs.
Microsoft has plenty of competition in getting elite hackers
to turn their attention on its aging Windows franchise, which
operates the vast majority of the world's personal computers.
Windows computers have been involved in most major attacks
to date, including the recent Citadel cyber crime ring that
stole more than $500 million from banks and the Stuxnet virus
that attacked Iran's nuclear program in 2010 by exploiting
previously unknown bugs in Microsoft software.
COMPETING FOR TALENT
The best hackers are heavily recruited by the military,
intelligence agencies and big corporations, who lure them with
scholarships and high-paying jobs.
Microsoft is also competing for the attention of the top
hacking talent on a growing global gray market, where
information about vulnerabilities is sold to criminals as well
as governments that use it in military and intelligence
operations. Bounties start at $50,000 for tools that enable
attackers to break into computers, even when they are protected
by up-to-date security software.
In the industry, exploits of such vulnerabilities are called
"zero-days," because a targeted software maker has had zero
days' notice to fix the hole when the malicious software is
Mike Reavey, senior director with the Microsoft Security
Response Center, declined in an interview to talk about the
"zero day" market for vulnerabilities in Windows products,
saying the company was seeking to encourage hackers to use their
skills in helpful ways.
"It's difficult to comment on the dark side," he said.
"The intention of these (bounty) programs is to incentivize good
Reavey said he hoped Microsoft's new program would woo some
candidates away from an annual contest known as Pwn2Own
(pronounced "pown to own"), which has become a key venue for
elite hackers to disclose major security flaws in software.
The latest Pwn2Own, which was held in Vancouver in March and
sponsored by Hewlett-Packard Co, paid out nearly
$480,000 in prize money, according to HP's website.
Hackers won the competition by identifying new ways to
"pwn," or take ownership of, browsers from Microsoft, Firefox
and Google Inc, Oracle Corp's Java and Adobe
System Inc's Flash and Reader software.
Some other big technology firms already offer similar
programs. Google has handed out $1.7 million in 3 years,
including prizes as big as $60,000. Facebook Inc said it
has paid out $500,000 to $1 million since it began its program
two years ago. Adobe does not offer bounties, though it brings
in hackers as temporary consultants to help fix problems that
Microsoft is also running a one-month contest, starting July
26, offering bounties of up to $11,000 to hackers who find bugs
in the trial version of its new Internet Explorer 11 browser,
which will be in preview release.