While they may sound like a new show on the Discovery Channel, “bug bounty” programs have a more practical reason for existence. In the IT world, bugs most often represent security vulnerabilities, though they can also indicate the presence of process issues and hardware flaws. Bug bounty programs allow independent security researchers to identify and report bugs to an organization in exchange for compensation or rewards. These programs allow corporations to utilize the skills of thousands of hackers and professionals, hopefully identifying flaws and vulnerabilities in the system before malicious hackers get there first.
Bug bounty programs may be classified as invite-only, in which case reports are kept confidential. However, organizations may also choose to make the programs public, allowing anyone to sign up and participate. Bug bounty programs sometimes have stipulated end dates, but most are open-ended. Many major organizations use bug bounties, including Microsoft, which has an active Microsoft 365 bug bounty program.
Why Do People Participate in Bug Bounty Programs?
Discovering and reporting bugs via these programs can provide both cash bonuses and recognition. Successful “bounty hunters” may gain real-world experience, add their findings to a resume, or enjoy notoriety with industry security experts. Bug bounty hunting is a full-time source of income for some hackers – or can be a gateway to finding a full-time position. For hackers and even amateur sleuths, finding bugs can be a lot of fun and a great challenge.
Still, it is not an easy quest – industry experts estimate that 97% of participants will never successfully find and be rewarded for a bug.
Beneficial for Corporations and End Users
These programs aren’t suitable for all organizations, but they make sense for mature organizations interested in protecting their investments and clients. When successful, the program will result in the organization discovering problems they hadn’t found themselves. In the case of Microsoft, the company has extensive resources to fix any issues presented to them so a bug bounty program can be beneficial.
These programs also ultimately help end-users of the product, as problems are rapidly identified and fixed before nefarious hackers exploit the issue.
Last week, Microsoft announced an increase in the rewards associated with several of its Bug Bounty Programs – some as significant as 30%. This includes the new scenario-based bounty awards for its Microsoft 365 Bounty Program. Last October, Microsoft announced up to $60,000 prizes for its Azure Bounty Program, asking researchers to find vulnerabilities in its cloud computing platform.
“Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities with the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions,” the Microsoft Security Response Center team explained.
Microsoft will give researchers a 30% bonus on top of the standard Microsoft 365 bounty awards for several scenario-based bounty awards, including discovering a remote code execution vulnerability through untrusted input.
“These new bounty awards are part of our continued efforts to partner with the security research community as part of Microsoft’s holistic approach to defending against security threats,” Microsoft said.
Those who trust Microsoft 365 (and Azure) for their companies’ overall success may view these programs as an additional step to protect them as they use the platform.
Alliance IT Can Help
Sarasota area SMBs looking for professional expertise regarding Microsoft 365 can call the experts at Alliance IT. Our team of IT professionals provides support in a wide variety of managed and cloud services and consulting and assessment programs.
