Microsoft Goes Big in Security Bug Bounties: Its $13.7m is Double Google's 2019 Payouts (zdnet.com) 17
Microsoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year. From a report: Microsoft's bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies. The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year. [...] Microsoft's total annual bug-bounty payouts are now much larger than Google's awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year's payouts from the ad and search giant, which called it a "record-breaking year."
consider the source (Score:4, Insightful)
Maybe Microsoft pays more because Microsoft software has more bugs than Google software.
Re: (Score:2)
Of course they do. Something that runs a phone is going to be an order of magnitude simpler to manage (especially when other people already did the core work) than something that runs the world's businesses.
My 4th grade niece would put her hands on her hips, cock her head, and say "Duh!"
Re: (Score:2)
Of course they do. Something that runs a phone is going to be an order of magnitude simpler to manage (especially when other people already did the core work) than something that runs the world's businesses.
My 4th grade niece would put her hands on her hips, cock her head, and say "Duh!"
I don't agree that Microsoft runs the world's businesses. They certainly don't run my business, and lots of other businesses use non-Microsoft software, such as SAP and Oracle.
Is Microsoft responsible for as much code as Google? Microsoft has Windows and Office, and probably other software that I am not familiar with, but the bugs we hear about every "patch Tuesday" are in Windows. Google's equivalent to Windows is Android, which includes Linux. Somehow we don't hear about as many bugs in Android.
I susp
Re: (Score:2)
I don't agree that Microsoft runs the world's businesses.
Over 80% of computers used in businesses worldwide run Windows. At second Apple hovers around 9-12%. I suppose your agreement is not in any way necessary.
Re: (Score:2)
I don't agree that Microsoft runs the world's businesses.
Over 80% of computers used in businesses worldwide run Windows. At second Apple hovers around 9-12%. I suppose your agreement is not in any way necessary.
I don't know where you got your 80% number, but I suspect you are counting only desktops and laptops. Businesses also use computers for smartphones, embedded processing and servers. Even among desktops and laptops, businesses use non-Microsoft software running under Windows.
I work for UPS, a large company with presence all over the world. The desktops and laptops run Windows, but the computers that watch packages as they are being sorted run Linux. Some of the servers run Microsoft Windows but others ru
Re: (Score:2)
Of course it's counting desktops and laptops, the server room is not the entire company. End users are at least a little bit important to productivity.
If you want to go that far, then probably the most common OS running in the Azure data centers is the proprietary one that runs on all of the Arecont security cameras. Let's not be silly, though.
Re: (Score:2)
Of course it's counting desktops and laptops, the server room is not the entire company. End users are at least a little bit important to productivity.
If you want to go that far, then probably the most common OS running in the Azure data centers is the proprietary one that runs on all of the Arecont security cameras. Let's not be silly, though.
I don't see anything silly here. At UPS, most "end users" don't use a desktop or laptop, but do use a computer. I wouldn't be surprised if that was also true at Amazon. At companies like KPMG, on the other hand, I wouldn't be surprised if the "end users" use desktops or laptops.
Google, Microsoft and the other are cheapstakes (Score:2)
10, 20, 50 millions is pocket money for those company. They're essentially getting people to work on their bugs for free.
Re: Google, Microsoft and the other are cheapstake (Score:3)
I wonder how many people that amount could have paid to actually write the stuff securely in the first place, then some others to properly test it?
Like, before releasing it?
Re: (Score:3)
Security doesn't work that way. You can't just pay more money to make it happen.
In fact this is a lot cheaper for them. They could hire people to look for security flaws in-house but would have to pay them for a lot of work that leads nowhere. With bug bounties they only have to pay when work bares fruit.
Re: (Score:2)
I wonder how many people that amount could have paid to actually write the stuff securely in the first place, then some others to properly test it? Like, before releasing it?
They do pay money to write the stuff securely in the first place, and to test it. But humans being humans, there will always be stuff that slips through the cracks. Not only that, a lot of vulnerabilities found by researchers in these bug bounty programs are either based on novel attacks or on novel methods of identifying known types of attacks.
I work for Google, on Android security. Here's a partial list of the things we do:
* Train all Android engineers on secure coding best practices.
* Require all n
Comparing apples and oranges (Score:1)
Microsoft has had the buggiest software in years, be it Windows, Explorer, Edge, etc. Zero-day exploits are now a common thing.
So, yes, it seems more bugs would be discovered, and IF they pay dollar for dollar bug for bug like Google (which we have no idea)
THEN we could say that Microsoft paying double means something.
What I think is a good thing is
- they ARE paying for sec.research and pen.testers to find bugs
- they ARE issuing mostly timely fixes for these bugs
Kudos to Microsoft for spending the money.
Re: (Score:1)
Hence they now largely outsource their web browser to the Chrome team and rely on Google's security mechanism.
Any bugs Microsoft themselves introduce in Edge represent a much smaller attack surface.
If they really wanted to shed millions of lines of code they'd adopt free desktop's Mesa with a small amount of glue code to interface the NT kernel - outsourcing graphics driver development to the wider community.
"Target-rich environment" (Score:2)
The bean counters... (Score:2)
Re: (Score:2)
If you think that anyone on the planet could write an error free and perfectly secure operating system destined to run on platforms as diverse as phones and supercomputers while running basically every piece of software written in the last two decades then you're sadly mistaken. MS has literally thousands of full time security engineers, both blue badges and contractors, the bug bounty helps to address issues that slip past them.
double toil and trouble (Score:1)
Double the payout for 10 times the number of bugs?