How successful is Microsoft’s generosity program?
Microsoft’s Bounty Bounty Bounty Bounty, created to help secure products and services from the attack, has been operating since 2013. At that time it paid more than $ 60 million for hackers to detect weaknesses, $ 16.6 million in the last reporting period. Which raises the question, why there are so many weaknesses, including the scary ones used in zero day use, arising from window woodwork.
How hackers are paid to hacked Microsoft without violating the law
Security threats to users of Microsoft platforms and services, from Windows Zero-Days to Microsoft Account receipt attacks, have a thing in common, namely weaknesses. Something, somewhere, buried in the code of a product or even the course of a service process, which can leave a way of hackers and criminals online. Discovering these weaknesses before they can be used is essential for protecting users from those who would make them and the damage to their data. That is why Google paid $ 11.8 million for hackers through his Bounty Bounty program throughout 2024. And it is what Microsoft spent more than $ 60 million, $ 16.6 million just the last reporting period, paying hackers for the same.
A March 13 post by Tom Gallagher, Vice President of Engineering at the Microsoft Security Response Center, has confirmed that the rapid detection and mitigation of security weaknesses is more important than ever before. “MSRC partners with product teams across Microsoft, as well as foreign security researchers,” Gallagher said, “to investigate security weaknesses that affect Microsoft’s products and services.”
The latter is the foreign security researchers, the hackers in question, who are often eligible for payments as part of Microsoft’s stimulated generous programs.
Microsoft follows the coordinated principle of detecting sensitivity for such hackers when responding and mitigating security weaknesses. “This approach gives researchers recognition for their work,” Gallagher said, “and offers Microsoft an opportunity to address the newly reported weaknesses before bad actors use them.” Unless they do not get that opportunity, and the actors of the threat do. And this is where zero day uses enter the equation.
When hackers attack before a weakness is discovered
A zero daily attack, as described by my friend and colleague Kate O’Flarty, is a weakness that has not yet been fixed. “The term day zero derives from the fact that he is there and known to the seller, and has zero days to release an adjustment,” O’Flahererty said; “Therefore it is a race against the time the seller responsible for the operating system release a piece for the flaw, before the attacker can catch the details.”
Here is the shocking truth: not all hackers are criminals online, but all cyber hackers are. Which means that while there are hackers participating in generosity programs such as those operated by Google and Microsoft, there are many others who will do the same work to discover a weakness, but instead of discovering it to the retailer interested in cash exchange, they will sell it to the highest bidder in the country. State -sponsored attack groups can detect such weaknesses of zero day or, most likely, buy them from zero day intermediaries and pay six figures or more depending on the target involved. This is why only the generous errors programs will never stop the threat of zero day. But that does not mean that the money that goes to Microsoft hackers are not well spent, away from it. Without the good hackers found these weaknesses there would be more zero days there, and the more harm that is done as a result.