LAS VEGAS -- Don't expect Microsoft to offer financial incentives to security researchers who find vulnerabilities...
in its products.
Dave Forstrom, director of Microsoft's Trustworthy Computing Group, said today in an interview with SearchSecurity.com that bug buyback programs established by Google Inc. and Mozilla Corp. run counter to Microsoft's approach to vulnerability research. Such programs fail to keep the process transparent, Forstrom said, and ultimately don't help Microsoft's customers.
Google pays a maximum of $3,133 to researchers who discover Chrome bugs. Mozilla offers a bug bounty of up to $3,000 for certain bugs discovered in Firefox.
"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."
Microsoft made waves last week with a strategic change that the software giant hopes will recast the responsible disclosure debate: dropping "responsible" from the name of its disclosure policy and instead reframing its flaw-reporting program under the title "coordinated vulnerability disclosure."
The announcement has received mixed reactions from the security community. Some say dropping the word responsible removes longstanding animosity between security researchers and software makers, but doesn't do much to change the way researchers report vulnerabilities.
Forstrom, who is attending the Black Hat 2010 conference this week, said the disclosure issue is an ongoing debate that hasn't been exclusive to Microsoft.
"It really comes down to this whole purpose in collaboration and cooperation to get to this point where we're serving the best interest of customers and reducing risk and not amplifying it," Forstrom said.
Adobe, Microsoft team up on Active Protections Program
Among the other Microsoft announcements at Black Hat 2010 is a new partnership that Microsoft believes will help bolster its Active Protections Program (MAPP).
Adobe Systems Inc. is joining forces with Microsoft to provide vulnerability data ahead of patch releases under the MAPP program. Currently 65 security vendors take part in the program, which enables them to develop signatures and exploit detection capabilities for their customers.
Brad Arkin, Adobe's senior director of product security and privacy, said the MAPP program is a natural fit for Adobe, which is trying to increase its transparency and reduce the attack window, which is the time between a vulnerability discovery and when Adobe issues an official patch. Microsoft said its program has helped reduce the attack window by as much as 75%.
"The consistent feedback that we've been getting from the security vendor community is that the Active Protections Program from Microsoft is the gold standard for the way the software makers should be sharing information," Arkin said.
Adobe will offer its product security information through members of the MAPP program, Arkin said, calling it one more layer of defense. The data will be formatted using Microsoft's template and will be made available to members beginning this fall.
To take part in the MAPP program, a vendor must provide defensive technology to a customer base of more than 10,000, such as antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) technologies.
New mitigation toolkit
Microsoft is releasing a new tool called the Enhanced Mitigation Experience Toolkit. Its intent is to help IT pros apply security mitigation techniques to existing applications. The tool is free and will be available for download in August.
Microsoft's Forstrom said the automated toolkit is especially helpful for organizations running older versions of Microsoft applications. For example, Windows XP users running Internet Explorer 6 may have Data Execution Prevention (DEP) running by default, but heap spray allocation, a memory mitigation technique that helps thwart attacks, needs to be applied manually. However, using the new automated tool, an IT pro can more easily apply the new security mitigations to existing applications, Forstrom said.
"They don't have to recode and they don't have to recompile," Forstrom said. "It's applied through the infrastructure and runs in process."