Security Program Manager in the MSRC- Bug Bounty- Outreach to the Security Research and Partner Community- Security Conference Sponsorship- Security Vulnerability Management aka Case Management
In the past a Microsoft Developer Consultant working with ourhardware and software partners
I graduated from Georgia Institute of Technology with a bachelors in Electrical Engineering
In my spare time, I enjoy playing basketball and watching anime
Bounty Programs
Microsoft Bounty Programs
A bug bounty is a program set up to identify criteria around what someone will pay for reporting bugs• Microsoft is focused on security vulnerabilities
Various parties offer bounties for software and services bugs• Those who write the code (Microsoft, Google, Facebook, Yahoo! etc…)
• Agents of those who write the code BugCrowd, HackerOne, SynAck, etc…)
• Concerned parties who use the code Internet Bug Bounty Github, etc…)
• Vulnerability resellers (Zerodium, Zeronomicon
Microsoft Bounty Programs Old and NewProgram Maximum Bounty Duration Active/Closed
Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active
.NET Core and ASP.NET Core $15,000 Sustained Active
Online Services (O365 and Azure) $15,000 Sustained Active
Mitigation Bypass $100,000 Sustained Active
Bounty for Defense $100,000 Sustained Active
.NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed
Nano Server TP5 $15,000 Ended 29 July Closed
ASP.NET and CoreCLR (part 1) $15,000 2015 Closed
Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed
BlueHat Prize $100,000 2013 Closed
New Microsoft Bounty Programs
• Microsoft Edge Web Platform Bug Bounty
• Microsoft .NET Core and ASP.NET Core Bug Bounty
https://blogs.technet.microsoft.com/msrc/
Microsoft Edge Beta Web Platform Bounty (Part 2)
W3C standards
• The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build
• Program runs Aug 4, 2016 to May 15, 2017
• Microsoft will pay up to
$1,500 USD for the
first report received on an
internally known issue
Vulnerability TypePayout Range
(USD) *
Remote Code Execution in Microsoft Edge on
recent builds of WIP slowUp to $15,000
Violations of W3C standards that compromise
privacy or integrity of important user data.
This includes:
Violation of SoP, i.e. UXSS
Referrer spoofs
This does not include:
XSS, CSRF: report these to the web site owner
XSS filter bypass
Up to $6,000
For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx
Edge Attack Surface ReductionWith the Edge browser, we also seized the opportunity to drastically reduce the attack surface exposed to the web
• No legacy document modes
• No legacy script engines (VBScript, JScript)
• No Vector Markup Language (VML)
• No Toolbars
• No Browser Helper Objects (BHOs)
• No ActiveX controls
81
22
47
34
0 50 100 150
Internet Explorer
Edge
H1 (Aug 2015 - Jan 2016)
H2 (Feb 2016 - Jul 2016)
.NET Core and ASP.NET Core Bug Bounty
• Vulnerabilities in the latest available .NET builds
• Program began September 1, 2016 (continuous)
• All bugs have to reproduce in the latest beta or release
candidates to qualify
• Pays up to $15,000 USDVulnerability type Payout range (USD)
Remote Code Execution $15,000 to $1,500
Security Design Flaw $10,000 to $1,500
Elevation of Privilege $10,000 to $5,000
Remote DoS $5,000 to $2,500
Tampering / Spoofing $5,000 to $500
Information Leaks $2,500 to $750
Template CSRF or XSS $2,000 to $500
For additional information about this program: https://technet.microsoft.com/en-us/mt764065
$500 to $15,000 USD
Online Services Bug Bounty ProgramO365 + Azure
For additional information about this program: https://technet.microsoft.com/en-us/dn800983
Hyper-V escapes that will receive a bounty
Up to $100,000 USD
Hyper-V
For additional information about this program: https://technet.microsoft.com/en-us/dn425049
novel mitigation bypass defense idea that would block an exploitation
Up to $200,000 (Mit. Bypass + Bounty for Defense)
Mitigation Bypass and Bounty for Defense
For additional information about this program: https://technet.microsoft.com/en-us/dn425049
Eliminating classes of vulnerabilities
We move beyond the “hand-to-hand combat” of finding and fixing individual issues by identifying ways to eliminate entire classes of
vulnerabilities
Goal: Increase attacker cost of finding exploitable vulnerabilities
We Closely Study Vulnerability Root Cause Trends
8 12 11 1831 27 28
102 181
133
26
13 13
21 30
24 13
15
1818
45
19
912
912
19 1811
3
3
23
31
0 1
310
24 1
520
18111 1
0 1 21 3
3 1729 13
2 4
2 3 31 3 4 6 11 5
8 104 6 6 3 1 1 2 1 1
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Use After Free Heap Corruption Other Type Confusion
Heap OOB Read Uninitialized Use Stack Corruption
2418 19 25
6143
25
21 18 18
9793 114 130
157156
116
266 282 396
0%5%
10%15%20%25%30%35%40%45%50%55%60%65%70%75%80%85%90%95%
100%
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Patch Year
% of Microsoft RCE & EOP CVEs exploited
within 30 days of patch
Exploited within 30 days of patch Not known to be exploited
Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments
121111
133
155
218
199
141
287
300
414
0
50
100
150
200
250
300
350
400
450
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
# o
f C
VEs
Patch Year
# of Microsoft RCE/EOP CVEs by patch year
Total Linear (Total)
Analysis: High-level Vulnerability & Exploit Trends
Measuring The Impact Of Our Strategy So Far
• The number of Microsoft vulnerabilities exploited within 30 days of a patch has continued to decline year over year despite increases in the number of vulnerabilities being addressed each year
• In the last two years, no zero day exploits for Microsoft RCE vulnerabilities have been found in-the-wild that work against Internet Explorer 11 on Windows 8.1+
• Since releasing Edge one year ago, there have been no zero day exploits found in-the-wild targeting Edge
Success Story: Internet Explorer
1/1/2014 1/1/20164/1/2014 7/1/2014 10/1/2014 1/1/2015 4/1/2015 7/1/2015 10/1/2015
5/1/2014 - 5/13/2014
CVE-2014-1815
4/23/2014 - 5/1/2014
CVE-2014-1776
2/12/2014 - 3/11/2014
CVE-2014-03222/19/2014 - 3/11/2014
CVE-2014-0324
6/8/2014
Use-After-Free hardening v1
7/6/2014
Use-After-Free hardening v2
8/3/2014
Out-of-Date Java Blocking
11/7/2014
CFG Windows 8.1 Shipped (Optional Update) 2/11/2015
CFG for Windows 8.1 Shipped (Default)
0day exploit in Internet Explorer
New Internet Explorer Security Feature
10/1/2015
MemGC IE 11
8/18/2015
CVE-2015-2502
7/5/2015
Type Protector Shipped
Year Zero Day RCE
CVE
2013
2014
2015
• A focus on mitigations for disruption of invariant techniques used in exploits (ROP, Heap Spraying, UAF)
• In 2015 only 6 days with a known zero day Internet Explorer RCE exploit in-the-wild (previously 135 days, then 45 days)
• Vulnerability volume has increased but number of zero day exploits has decreased
8
4
1
Software Bug Bounty Program
Security Vulnerability Impacts and Payouts
Bypassing existing mitigations in the
OS or Browser$100,000
Hyper-V escapes $100,000
Remote Code Execution $15,000
Elevation of Privileges $10,000
Security Design Flaws $10,000
Tampering/Spoofing $5,000
Remote DoS $5,000
Information Disclosure $2,500
Payout range is: $500 to $100,000 USD
We pay the highest bounties for:
1) High quality reports
• POC
• Detailed write up
2) High impact bugs
Online Services Bug Bounty Program
Security Vulnerability TypesXSS
CSRF
Authentication vulnerabilities
Privilege escalation
Injection Vulnerabilities
Insecure direct object reference
Unauthorized cross tenant access or tampering
Server-side code execution
Significant security misconfiguration
Payout range is: $500 to $15,000 USD (with 2x bounties up to $30,000)
The highest bounties can be earned
on:
1. Authentication Vulnerabilities –
Oauth, SAML 2.0 related bugs
2. Privilege Escalations
3. XSS and CSRF (on high traffic,
high impact sites)
• Mitigation Bypass, Bounty for Defense and BlueHat Prize> $600,000 USD
• Online Services Bug Bounty > $400,000 USD
• Software Bounties
> $200,000 USD
Bounties Paid To Date
Finder Appreciation and Retention (FAR)
BlueHat invitations and
speaking opportunities
Private Microsoft party
invites at various
conferences
Bountycraft invitations
Get hired by Microsoft
Unique
Opportunities
At conferences we
award top finders with
MSDN licenses,
customized Surface
Pro laptops, Surface
Books and other
hardware
This will continue to
grow
Rewards
Bounties are offered
across a number of
Microsoft products
This will continue to
grow
Bounty
Credit to finders in the
form of CVE number
attribution, and a
formal thanks in the KB
articles
This will continue
Credit
For more information:
• https://technet.microsoft.com/
en-us/security/mt767986
• https://technet.microsoft.com/
en-us/security/dn469163
• https://technet.microsoft.com/
en-us/security/dn469163
Top 100 Finders for 2016
1. ZDI - Disclosures
2. Richard Shupak
3. Mateusz Jurczyk
4. I - Defense
5. Steven Vittitoe
6. Bo Qu
7. Tyan
8. Zheng Huang
9. Peter Allor
10. Chenxuebin
11. Liu Long
12. Zhang Yunhai
13. Haifei Li
14. Yu Yang
15. Moritz Jodeit
16. Jack Tang
17. Henry Li
18. Linan Hao
19. XLAB - Tencent
20. Kai Kang
21. Cameron Dawe
22. Suwei Chen
23. Adobe PSIRT
24. Shi Ji
25. James Forshaw
26. Ben Hawkes
27. Zhoujp
28. Mgchoi
29. Atte Kettunen
30. Lucas Leong
31. Kai Song aka Exp-Sky (Tencent)
32. Mbarbella
33. Fortinet
34. Nicolas Dolgin
35. Chris Evans
36. Zer0mem
37. Dhanesh Kizhakkinan
38. Taylor Woll
39. Hui Gao
40. Wenxiang Qian
41. Jaanus Kaap
42. Richard Warren
43. Robert Gawlik
44. Lvbluesky
45. Noamr
46. Zhong She Fang
47. Adi Ivascu
48. Karim Valiev
49. Nicolas Gregoire
50. Jaehun Jeong
Top 100 Finders for 2016
51. Cert-CC
52. Fanxiaocao
53. Yangkang3
54. Tongbo Luo
55. Tigonlab
56. Nesk
57. Fuzzers
58. Chendongli
59. Winsonliu
60. Zhengwen Bin
61. Jack Whitton
62. Pflashispunk
63. Dan Caselden
64. Luciano Corsalini
65. Fengzhi Yong
66. Mario Heiderich
67. Yorick Koster
68. Sourceincite
69. Lu
70. Saurabh Pundir
71. Udi Yavo
72. Rodolfo Godalle
73. Abdel Hafid Ait
Chikh
74. Stefan Kanthak
75. Klyin
76. Eric Lawrence
77. Scott Bell
78. Sebastien Morin
79. Nicolas Joly
80. Li Kemeng
81. Michail Bolshov
82. Mustafa Hasan
83. Th3proinfor
matique
84. Hao Linan
85. Ajayanandctg
86. Alex Ionescu
87. John Page
88. Costin Raiu
89. Bingchang Liu
90. Hamza Bettache
91. Kostya
Kortchinsky
92. Ivan Grigorov
93. Is4curity
94. Anatolii Bench
95. Mandeep Jadon
96. Yunxiang Wyx
97. Zhang Cong
98. Shernan
99. Skylined
100. Rafal Wojtczuk
Researcher Distribution
RegionsSoftware
Bounties
Services
Bounties
Europe 33% 39%
Asia 38% 25%
North America 28% 26%
Middle East 0% 8%
South America 1% 2%
Top Three in This Region
Software Vulnerabilities
1) RCE2) EoP3) Security Feature Bypass
Services Vulnerabilities
1) XSS (which lead to EoP)2) Security Misconfiguration
(which enable tampering/spoofing)
3) CSRF (which enable tampering/spoofing)
Making It To The MSRC Top 100 List
The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100
MSRC has 1000s of finders across time
Most have reported 1 bug over
time
Many times the 1 bug was a
duplicate
A few more have reported 2-3
across time
Our top 100 finders report regularly
Responsible for most of our
critical vulnerabilities
Discover 2+ novel security bugs
per year
Still get regular duplicate
reports (internally or externally
known)
The top 10 have reported
LOTS of bugs
Spend most of their time
looking for bugs
Many work for partner
companies
Others are full-time bug hunters
Penetration Testers
Professional Bug Bounty hunters
CVD: Coordinated Vulnerability Disclosure
• We request that you keep customers secure by maintaining the
confidentiality of the vulnerability report to MSRC
• If you wish to discuss the vulnerability publically or blog about it, please
wait till it has been fixed and patches have been released to customers
• Preferably, blog or present the vulnerability 30 days after it has been
patched. This gives customers enough time to take the patch
• Never publish any exploit code (please )
• We are happy to provide technically review to any talks, white papers or
blogs you are publishing
For additional information about this program: https://technet.microsoft.com/en-us/security/dn467923.aspx
https://aka.ms/BugBounty
2. Identify the bounty
3. Report your findings to [email protected]
4. Give us your name and a good email to reach you at
5. Encrypt with our public key (if it’s a PoC or working exploit)
6. For eligible bounty cases, GET PAID!
Take Action
Always maintain CVD1000s
[email protected] – 2015 StatsOne entry point for Security Vulnerability Reports
Bulletins released 135
CVEs fixed 527
twitter.com/akilsrinAka.ms/BugBounty