* New program to pay reward up to $150,000
* Google, Facebook offer similar programs
* Underground market offers steep bounties
By Jim Finkle
BOSTON, June 19 (Reuters) - Microsoft Corp is looking to recruit computer geeks in its ongoing efforts to protect Windows PCs from attacks, offering rewards of as much as $150,000 to anybody who helps identify and fix major security holes in its software.
Microsoft unveiled the rewards program, one of the most generous in the high-tech industry to date, on Wednesday as it sought ways to prevent sophisticated attackers from subverting new security technologies it has introduced in the latest versions of the Windows operating system.
The program is open to computer experts as young as 14, though minors need permission from their parents. Residents of countries under U.S. sanctions, such as Cuba, Iran, North Korea, Sudan and Syria, are banned from the program.
The sheer size of the bonus is likely to grab the attention of the hacking community, though claiming the big money will require them to do battle with Microsoft’s latest anti-hacking technology and then detail their approach.
“It’s pretty generous, though what they are asking for is a pretty high bar,” said Chris Wysopal, chief technology officer of Veracode, a security firm that helps identify software bugs.
Microsoft has plenty of competition in getting elite hackers to turn their attention on its aging Windows franchise, which operates the vast majority of the world’s personal computers.
Windows computers have been involved in most major attacks to date, including the recent Citadel cyber crime ring that stole more than $500 million from banks and the Stuxnet virus that attacked Iran’s nuclear program in 2010 by exploiting previously unknown bugs in Microsoft software.
The best hackers are heavily recruited by the military, intelligence agencies and big corporations, who lure them with scholarships and high-paying jobs.
Microsoft is also competing for the attention of the top hacking talent on a growing global gray market, where information about vulnerabilities is sold to criminals as well as governments that use it in military and intelligence operations. Bounties start at $50,000 for tools that enable attackers to break into computers, even when they are protected by up-to-date security software.
In the industry, exploits of such vulnerabilities are called “zero-days,” because a targeted software maker has had zero days’ notice to fix the hole when the malicious software is eventually discovered.
Mike Reavey, senior director with the Microsoft Security Response Center, declined in an interview to talk about the “zero day” market for vulnerabilities in Windows products, saying the company was seeking to encourage hackers to use their skills in helpful ways.
“It’s difficult to comment on the dark side,” he said. “The intention of these (bounty) programs is to incentivize good behavior.”
Reavey said he hoped Microsoft’s new program would woo some candidates away from an annual contest known as Pwn2Own (pronounced “pown to own”), which has become a key venue for elite hackers to disclose major security flaws in software.
The latest Pwn2Own, which was held in Vancouver in March and sponsored by Hewlett-Packard Co, paid out nearly $480,000 in prize money, according to HP’s website.
Hackers won the competition by identifying new ways to “pwn,” or take ownership of, browsers from Microsoft, Firefox and Google Inc, Oracle Corp’s Java and Adobe System Inc’s Flash and Reader software.
Some other big technology firms already offer similar programs. Google has handed out $1.7 million in 3 years, including prizes as big as $60,000. Facebook Inc said it has paid out $500,000 to $1 million since it began its program two years ago. Adobe does not offer bounties, though it brings in hackers as temporary consultants to help fix problems that they identify.
Microsoft is also running a one-month contest, starting July 26, offering bounties of up to $11,000 to hackers who find bugs in the trial version of its new Internet Explorer 11 browser, which will be in preview release.