2. Security Program Manager in the MSRC
- Bug Bounty
- Outreach to the Security Research and Partner Community
- Security Conference Sponsorship
- Security Vulnerability Management aka Case Management
In the past a Microsoft Developer Consultant working with our
hardware and software partners
I graduated from Georgia Institute of Technology with a bachelors in Electrical
Engineering
In my spare time, I enjoy playing basketball and watching anime
4. Microsoft Bounty Programs
A bug bounty is a program set up to identify criteria around
what someone will pay for reporting bugs
• Microsoft is focused on security vulnerabilities
Various parties offer bounties for software and services bugs
• Those who write the code (Microsoft, Google, Facebook, Yahoo! etc…)
• Agents of those who write the code BugCrowd, HackerOne, SynAck, etc…)
• Concerned parties who use the code Internet Bug Bounty Github, etc…)
• Vulnerability resellers (Zerodium, Zeronomicon
5. Microsoft Bounty Programs Old and New
Program Maximum Bounty Duration Active/Closed
Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active
.NET Core and ASP.NET Core $15,000 Sustained Active
Online Services (O365 and Azure) $15,000 Sustained Active
Mitigation Bypass $100,000 Sustained Active
Bounty for Defense $100,000 Sustained Active
.NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed
Nano Server TP5 $15,000 Ended 29 July Closed
ASP.NET and CoreCLR (part 1) $15,000 2015 Closed
Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed
BlueHat Prize $100,000 2013 Closed
6. New Microsoft Bounty Programs
• Microsoft Edge Web Platform Bug Bounty
• Microsoft .NET Core and ASP.NET Core Bug Bounty
https://blogs.technet.microsoft.com/msrc/
7. Microsoft Edge Beta Web Platform Bounty (Part 2)
W3C standards
• The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build
• Program runs Aug 4, 2016 to May 15, 2017
• Microsoft will pay up to
$1,500 USD for the
first report received on an
internally known issue
Vulnerability Type
Payout Range
(USD) *
Remote Code Execution in Microsoft Edge on
recent builds of WIP slow
Up to $15,000
Violations of W3C standards that compromise
privacy or integrity of important user data.
This includes:
Violation of SoP, i.e. UXSS
Referrer spoofs
This does not include:
XSS, CSRF: report these to the web site owner
XSS filter bypass
Up to $6,000
For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx
8. Edge Attack Surface Reduction
With the Edge browser, we also seized the opportunity to drastically reduce the attack surface exposed to the web
• No legacy document modes
• No legacy script engines (VBScript, JScript)
• No Vector Markup Language (VML)
• No Toolbars
• No Browser Helper Objects (BHOs)
• No ActiveX controls
81
22
47
34
0 50 100 150
Internet Explorer
Edge
H1 (Aug 2015 - Jan 2016)
H2 (Feb 2016 - Jul 2016)
9. .NET Core and ASP.NET Core Bug Bounty
• Vulnerabilities in the latest available .NET builds
• Program began September 1, 2016 (continuous)
• All bugs have to reproduce in the latest beta or release
candidates to qualify
• Pays up to $15,000 USD
Vulnerability type Payout range (USD)
Remote Code Execution $15,000 to $1,500
Security Design Flaw $10,000 to $1,500
Elevation of Privilege $10,000 to $5,000
Remote DoS $5,000 to $2,500
Tampering / Spoofing $5,000 to $500
Information Leaks $2,500 to $750
Template CSRF or XSS $2,000 to $500
For additional information about this program: https://technet.microsoft.com/en-us/mt764065
10. $500 to $15,000 USD
Online Services Bug Bounty Program
O365 + Azure
For additional information about this program: https://technet.microsoft.com/en-us/dn800983
11. Hyper-V escapes that will receive a bounty
Up to $100,000 USD
Hyper-V
For additional information about this program: https://technet.microsoft.com/en-us/dn425049
12. novel mitigation bypass
defense idea that would block an exploitation
Up to $200,000
(Mit. Bypass + Bounty for Defense)
Mitigation Bypass and Bounty for Defense
For additional information about this program: https://technet.microsoft.com/en-us/dn425049
13. Eliminating classes of vulnerabilities
We move beyond the “hand-to-hand combat” of finding and fixing
individual issues by identifying ways to eliminate entire classes of
vulnerabilities
Goal: Increase attacker cost of finding exploitable vulnerabilities
15. 24 18 19 25
61
43
25
21 18 18
97
93 114 130
157
156
116
266 282 396
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
55%
60%
65%
70%
75%
80%
85%
90%
95%
100%
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Patch Year
% of Microsoft RCE & EOP CVEs exploited
within 30 days of patch
Exploited within 30 days of patch Not known to be exploited
Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments
121
111
133
155
218
199
141
287
300
414
0
50
100
150
200
250
300
350
400
450
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
#ofCVEs
Patch Year
# of Microsoft RCE/EOP CVEs by patch year
Total Linear (Total)
Analysis: High-level Vulnerability & Exploit Trends
16. Measuring The Impact Of Our Strategy So Far
• The number of Microsoft vulnerabilities exploited within 30 days of a patch has continued
to decline year over year despite increases in the number of vulnerabilities being
addressed each year
• In the last two years, no zero day exploits for Microsoft RCE vulnerabilities have been
found in-the-wild that work against Internet Explorer 11 on Windows 8.1+
• Since releasing Edge one year ago, there have been no zero day exploits found in-the-
wild targeting Edge
17. Success Story: Internet Explorer
1/1/2014 1/1/2016
4/1/2014 7/1/2014 10/1/2014 1/1/2015 4/1/2015 7/1/2015 10/1/2015
5/1/2014 - 5/13/2014
CVE-2014-1815
4/23/2014 - 5/1/2014
CVE-2014-1776
2/12/2014 - 3/11/2014
CVE-2014-03222/19/2014 - 3/11/2014
CVE-2014-0324
6/8/2014
Use-After-Free hardening v1
7/6/2014
Use-After-Free hardening v2
8/3/2014
Out-of-Date Java Blocking
11/7/2014
CFG Windows 8.1 Shipped (Optional Update) 2/11/2015
CFG for Windows 8.1 Shipped (Default)
0day exploit in Internet Explorer
New Internet Explorer Security Feature
10/1/2015
MemGC IE 11
8/18/2015
CVE-2015-2502
7/5/2015
Type Protector Shipped
Year
Zero Day RCE
CVE
2013
2014
2015
• A focus on mitigations for disruption of invariant techniques used in exploits (ROP, Heap Spraying, UAF)
• In 2015 only 6 days with a known zero day Internet Explorer RCE exploit in-the-wild (previously 135 days, then 45 days)
• Vulnerability volume has increased but number of zero day exploits has decreased
8
4
1
18. Software Bug Bounty Program
Security Vulnerability Impacts and Payouts
Bypassing existing mitigations in the
OS or Browser
$100,000
Hyper-V escapes $100,000
Remote Code Execution $15,000
Elevation of Privileges $10,000
Security Design Flaws $10,000
Tampering/Spoofing $5,000
Remote DoS $5,000
Information Disclosure $2,500
Payout range is: $500 to $100,000 USD
We pay the highest bounties for:
1) High quality reports
• POC
• Detailed write up
2) High impact bugs
19. Online Services Bug Bounty Program
Security Vulnerability Types
XSS
CSRF
Authentication vulnerabilities
Privilege escalation
Injection Vulnerabilities
Insecure direct object reference
Unauthorized cross tenant access or tampering
Server-side code execution
Significant security misconfiguration
Payout range is: $500 to $15,000 USD (with 2x bounties up to $30,000)
The highest bounties can be earned
on:
1. Authentication Vulnerabilities –
Oauth, SAML 2.0 related bugs
2. Privilege Escalations
3. XSS and CSRF (on high traffic,
high impact sites)
20. • Mitigation Bypass, Bounty
for Defense and BlueHat
Prize
> $600,000 USD
• Online Services Bug
Bounty
> $400,000 USD
• Software Bounties
> $200,000 USD
Bounties Paid To Date
21. Finder Appreciation and Retention (FAR)
BlueHat invitations and
speaking opportunities
Private Microsoft party
invites at various
conferences
Bountycraft invitations
Get hired by Microsoft
Unique
Opportunities
At conferences we
award top finders with
MSDN licenses,
customized Surface
Pro laptops, Surface
Books and other
hardware
This will continue to
grow
Rewards
Bounties are offered
across a number of
Microsoft products
This will continue to
grow
Bounty
Credit to finders in the
form of CVE number
attribution, and a
formal thanks in the KB
articles
This will continue
Credit
For more information:
• https://technet.microsoft.com/
en-us/security/mt767986
• https://technet.microsoft.com/
en-us/security/dn469163
• https://technet.microsoft.com/
en-us/security/dn469163
22. Top 100 Finders for 2016
1. ZDI - Disclosures
2. Richard Shupak
3. Mateusz Jurczyk
4. I - Defense
5. Steven Vittitoe
6. Bo Qu
7. Tyan
8. Zheng Huang
9. Peter Allor
10. Chenxuebin
11. Liu Long
12. Zhang Yunhai
13. Haifei Li
14. Yu Yang
15. Moritz Jodeit
16. Jack Tang
17. Henry Li
18. Linan Hao
19. XLAB - Tencent
20. Kai Kang
21. Cameron Dawe
22. Suwei Chen
23. Adobe PSIRT
24. Shi Ji
25. James Forshaw
26. Ben Hawkes
27. Zhoujp
28. Mgchoi
29. Atte Kettunen
30. Lucas Leong
31. Kai Song aka Exp-
Sky (Tencent)
32. Mbarbella
33. Fortinet
34. Nicolas Dolgin
35. Chris Evans
36. Zer0mem
37. Dhanesh
Kizhakkinan
38. Taylor Woll
39. Hui Gao
40. Wenxiang Qian
41. Jaanus Kaap
42. Richard Warren
43. Robert Gawlik
44. Lvbluesky
45. Noamr
46. Zhong She Fang
47. Adi Ivascu
48. Karim Valiev
49. Nicolas Gregoire
50. Jaehun Jeong
23. Top 100 Finders for 2016
51. Cert-CC
52. Fanxiaocao
53. Yangkang3
54. Tongbo Luo
55. Tigonlab
56. Nesk
57. Fuzzers
58. Chendongli
59. Winsonliu
60. Zhengwen Bin
61. Jack Whitton
62. Pflashispunk
63. Dan Caselden
64. Luciano Corsalini
65. Fengzhi Yong
66. Mario Heiderich
67. Yorick Koster
68. Sourceincite
69. Lu
70. Saurabh Pundir
71. Udi Yavo
72. Rodolfo Godalle
73. Abdel Hafid Ait
Chikh
74. Stefan Kanthak
75. Klyin
76. Eric Lawrence
77. Scott Bell
78. Sebastien Morin
79. Nicolas Joly
80. Li Kemeng
81. Michail Bolshov
82. Mustafa Hasan
83. Th3proinfor
matique
84. Hao Linan
85. Ajayanandctg
86. Alex Ionescu
87. John Page
88. Costin Raiu
89. Bingchang Liu
90. Hamza Bettache
91. Kostya
Kortchinsky
92. Ivan Grigorov
93. Is4curity
94. Anatolii Bench
95. Mandeep Jadon
96. Yunxiang Wyx
97. Zhang Cong
98. Shernan
99. Skylined
100. Rafal Wojtczuk
24. Researcher Distribution
Regions
Software
Bounties
Services
Bounties
Europe 33% 39%
Asia 38% 25%
North America 28% 26%
Middle East 0% 8%
South America 1% 2%
Top Three in This Region
Software Vulnerabilities
1) RCE
2) EoP
3) Security Feature Bypass
Services Vulnerabilities
1) XSS (which lead to EoP)
2) Security Misconfiguration
(which enable
tampering/spoofing)
3) CSRF (which enable
tampering/spoofing)
25. Making It To The MSRC Top 100 List
The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100
MSRC has 1000s of finders across time
Most have reported 1 bug over
time
Many times the 1 bug was a
duplicate
A few more have reported 2-3
across time
Our top 100 finders report regularly
Responsible for most of our
critical vulnerabilities
Discover 2+ novel security bugs
per year
Still get regular duplicate
reports (internally or externally
known)
The top 10 have reported
LOTS of bugs
Spend most of their time
looking for bugs
Many work for partner
companies
Others are full-time bug hunters
Penetration Testers
Professional Bug Bounty hunters
26. CVD: Coordinated Vulnerability Disclosure
• We request that you keep customers secure by maintaining the
confidentiality of the vulnerability report to MSRC
• If you wish to discuss the vulnerability publically or blog about it, please
wait till it has been fixed and patches have been released to customers
• Preferably, blog or present the vulnerability 30 days after it has been
patched. This gives customers enough time to take the patch
• Never publish any exploit code (please )
• We are happy to provide technically review to any talks, white papers or
blogs you are publishing
For additional information about this program: https://technet.microsoft.com/en-us/security/dn467923.aspx
27. https://aka.ms/BugBounty
2. Identify the bounty
3. Report your findings to secure@microsoft.com
4. Give us your name and a good email to reach you at
5. Encrypt with our public key (if it’s a PoC or working exploit)
6. For eligible bounty cases, GET PAID!
Take Action
