Security Program Manager in the MSRC - Bug Bounty - Outreach to the Security Research and Partner Community - Security Conference Sponsorship - Security Vulnerability Management aka Case Management
In the past a Microsoft Developer Consultant working with our hardware and software partners
I graduated from Georgia Institute of Technology with a bachelors in Electrical Engineering
In my spare time, I enjoy playing basketball and watching anime Bounty Programs Microsoft Bounty Programs A bug bounty is a program set up to identify criteria around what someone will pay for reporting bugs • Microsoft is focused on security vulnerabilities
Various parties offer bounties for software and services bugs • Those who write the code (Microsoft, Google, Facebook, Yahoo! etc…) • Agents of those who write the code BugCrowd, HackerOne, SynAck, etc…) • Concerned parties who use the code Internet Bug Bounty Github, etc…) • Vulnerability resellers (Zerodium, Zeronomicon Microsoft Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed
Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active
.NET Core and ASP.NET Core $15,000 Sustained Active
Online Services (O365 and Azure) $15,000 Sustained Active
Mitigation Bypass $100,000 Sustained Active
Bounty for Defense $100,000 Sustained Active
.NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed
Nano Server TP5 $15,000 Ended 29 July Closed
ASP.NET and CoreCLR (part 1) $15,000 2015 Closed
Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed
BlueHat Prize $100,000 2013 Closed New Microsoft Bounty Programs
• Microsoft Edge Web Platform Bug Bounty
• Microsoft .NET Core and ASP.NET Core Bug Bounty
https://blogs.technet.microsoft.com/msrc/ Microsoft Edge Beta Web Platform Bounty (Part 2)
W3C standards
• The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build
Payout Range Vulnerability Type (USD) * • Program runs Aug 4, 2016 to May 15, 2017 Remote Code Execution in Microsoft Edge on Up to $15,000 • Microsoft will pay up to recent builds of WIP slow $1,500 USD for the Violations of W3C standards that compromise first report received on an privacy or integrity of important user data. internally known issue This includes: Violation of SoP, i.e. UXSS Up to $6,000 Referrer spoofs
This does not include: XSS, CSRF: report these to the web site owner XSS filter bypass For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx Edge Attack Surface Reduction
With the Edge browser, we also seized the opportunity to drastically reduce the attack surface exposed to the web
• No legacy document modes • No legacy script engines (VBScript, JScript) • No Vector Markup Language (VML) • No Toolbars Edge 22 34 • No Browser Helper Objects (BHOs) • No ActiveX controls
Internet Explorer 81 47
0 50 100 150
H1 (Aug 2015 - Jan 2016) H2 (Feb 2016 - Jul 2016) .NET Core and ASP.NET Core Bug Bounty • Vulnerabilities in the latest available .NET builds • Program began September 1, 2016 (continuous) • All bugs have to reproduce in the latest beta or release candidates to qualify • Pays up to $15,000 USD Vulnerability type Payout range (USD) Remote Code Execution $15,000 to $1,500 Security Design Flaw $10,000 to $1,500 Elevation of Privilege $10,000 to $5,000 Remote DoS $5,000 to $2,500 Tampering / Spoofing $5,000 to $500 Information Leaks $2,500 to $750 Template CSRF or XSS $2,000 to $500
For additional information about this program: https://technet.microsoft.com/en-us/mt764065 Online Services Bug Bounty Program O365 + Azure
$500 to $15,000 USD
For additional information about this program: https://technet.microsoft.com/en-us/dn800983 Hyper-V Hyper-V escapes that will receive a bounty
Up to $100,000 USD
For additional information about this program: https://technet.microsoft.com/en-us/dn425049 Mitigation Bypass and Bounty for Defense
novel mitigation bypass defense idea that would block an exploitation
Up to $200,000 (Mit. Bypass + Bounty for Defense)
For additional information about this program: https://technet.microsoft.com/en-us/dn425049 Eliminating classes of vulnerabilities
We move beyond the “hand-to-hand combat” of finding and fixing individual issues by identifying ways to eliminate entire classes of vulnerabilities
Goal: Increase attacker cost of finding exploitable vulnerabilities We Closely Study Vulnerability Root Cause Trends
100% 1 1 62 1 1 4 6 6 13 3 34 11 5 3 1 5 17 90% 8 10 2 13 2 4 3 3 29 13 30 2 1 20 80% 10 18 3 18 2 4 11 1 19 18 11 0 1 9 18 23 70% 12 60% 9 12 15 45 31 50% 24 13 40% 21 30 13 13 102 181 30% 19 28 133 20% 31 27 10% 8 12 11 18 26 0% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Use After Free Heap Corruption Other Type Confusion Heap OOB Read Uninitialized Use Stack Corruption Analysis: High-level Vulnerability & Exploit Trends
# of Microsoft RCE/EOP CVEs by patch year % of Microsoft RCE & EOP CVEs exploited 450 within 30 days of patch 100% 400 414 95% 90% 350 85% 80% 300 75% 300 70% 287 65% 157 250 97 156 60% 93 130 116 55% 114 266 282 396 200 218 50% 199 # of CVEs of # 45% 40% 150 155 35% 141 133 30% 121 100 111 25% 20% 15% 50 61 10% 24 43 18 19 25 25 5% 21 18 0 0% 18 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Patch Year Patch Year
Total Linear (Total) Exploited within 30 days of patch Not known to be exploited
Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments Measuring The Impact Of Our Strategy So Far
• The number of Microsoft vulnerabilities exploited within 30 days of a patch has continued to decline year over year despite increases in the number of vulnerabilities being addressed each year
• In the last two years, no zero day exploits for Microsoft RCE vulnerabilities have been found in-the-wild that work against Internet Explorer 11 on Windows 8.1+
• Since releasing Edge one year ago, there have been no zero day exploits found in-the- wild targeting Edge Success Story: Internet Explorer Zero Day RCE Year CVE
7/5/2015 0day exploit in Internet Explorer Type Protector Shipped New Internet Explorer Security Feature 11/7/2014 CFG Windows 8.1 Shipped (Optional Update) 2/11/2015 2013 CFG for Windows 8.1 Shipped (Default) 8 6/8/2014 4/23/2014 - 5/1/2014 Use-After-Free hardening v1 8/3/2014 10/1/2015 CVE-2014-1776 Out-of-Date Java Blocking MemGC IE 11 5/1/2014 - 5/13/2014 8/18/2015 2/12/2014 - 3/11/2014 CVE-2014-1815 2014 CVE-2015-2502 CVE-2014-03222/19/2014 - 3/11/2014 7/6/2014 4 CVE-2014-0324 Use-After-Free hardening v2
2015 1
4/1/2014 7/1/2014 10/1/2014 1/1/2015 4/1/2015 7/1/2015 10/1/2015 1/1/2014 1/1/2016 • A focus on mitigations for disruption of invariant techniques used in exploits (ROP, Heap Spraying, UAF) • In 2015 only 6 days with a known zero day Internet Explorer RCE exploit in-the-wild (previously 135 days, then 45 days) • Vulnerability volume has increased but number of zero day exploits has decreased Software Bug Bounty Program
Security Vulnerability Impacts and Payouts Bypassing existing mitigations in the $100,000 OS or Browser Hyper-V escapes $100,000 We pay the highest bounties for: Remote Code Execution $15,000 1) High quality reports Elevation of Privileges $10,000 • POC Security Design Flaws $10,000 • Detailed write up
Tampering/Spoofing $5,000 2) High impact bugs Remote DoS $5,000 Information Disclosure $2,500
Payout range is: $500 to $100,000 USD Online Services Bug Bounty Program
Security Vulnerability Types XSS CSRF The highest bounties can be earned Authentication vulnerabilities on: Privilege escalation Injection Vulnerabilities 1. Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs Insecure direct object reference 2. Privilege Escalations Unauthorized cross tenant access or tampering 3. XSS and CSRF (on high traffic, Server-side code execution high impact sites) Significant security misconfiguration
Payout range is: $500 to $15,000 USD (with 2x bounties up to $30,000) Bounties Paid To Date
• Mitigation Bypass, Bounty for Defense and BlueHat Prize > $600,000 USD
• Online Services Bug Bounty > $400,000 USD
• Software Bounties > $200,000 USD Finder Appreciation and Retention (FAR)
Unique Bounty Rewards Credit Opportunities Bounties are offered At conferences we BlueHat invitations and Credit to finders in the across a number of award top finders with speaking opportunities form of CVE number Microsoft products MSDN licenses, attribution, and a customized Surface formal thanks in the KB Pro laptops, Surface Private Microsoft party articles This will continue to Books and other invites at various grow hardware conferences This will continue Bountycraft invitations For more information: This will continue to • https://technet.microsoft.com/ grow en-us/security/mt767986 • https://technet.microsoft.com/ Get hired by Microsoft en-us/security/dn469163 • https://technet.microsoft.com/ en-us/security/dn469163 Top 100 Finders for 2016
1. ZDI - Disclosures 14. Yu Yang 26. Ben Hawkes 38. Taylor Woll 2. Richard Shupak 15. Moritz Jodeit 27. Zhoujp 39. Hui Gao 3. Mateusz Jurczyk 16. Jack Tang 28. Mgchoi 40. Wenxiang Qian 4. I - Defense 17. Henry Li 29. Atte Kettunen 41. Jaanus Kaap 5. Steven Vittitoe 18. Linan Hao 30. Lucas Leong 42. Richard Warren 6. Bo Qu 19. XLAB - Tencent 31. Kai Song aka Exp- 43. Robert Gawlik 7. Tyan 20. Kai Kang Sky (Tencent) 44. Lvbluesky 8. Zheng Huang 21. Cameron Dawe 32. Mbarbella 45. Noamr 9. Peter Allor 22. Suwei Chen 33. Fortinet 46. Zhong She Fang 10. Chenxuebin 23. Adobe PSIRT 34. Nicolas Dolgin 47. Adi Ivascu 11. Liu Long 24. Shi Ji 35. Chris Evans 48. Karim Valiev 12. Zhang Yunhai 25. James Forshaw 36. Zer0mem 49. Nicolas Gregoire 13. Haifei Li 37. Dhanesh 50. Jaehun Jeong Kizhakkinan Top 100 Finders for 2016
51. Cert-CC 64. Luciano Corsalini 76. Eric Lawrence 88. Costin Raiu 52. Fanxiaocao 65. Fengzhi Yong 77. Scott Bell 89. Bingchang Liu 53. Yangkang3 66. Mario Heiderich 78. Sebastien Morin 90. Hamza Bettache 54. Tongbo Luo 67. Yorick Koster 79. Nicolas Joly 91. Kostya 55. Tigonlab 68. Sourceincite 80. Li Kemeng Kortchinsky 56. Nesk 69. Lu 81. Michail Bolshov 92. Ivan Grigorov 57. Fuzzers 70. Saurabh Pundir 82. Mustafa Hasan 93. Is4curity 58. Chendongli 71. Udi Yavo 83. Th3proinfor 94. Anatolii Bench 59. Winsonliu 72. Rodolfo Godalle matique 95. Mandeep Jadon 60. Zhengwen Bin 73. Abdel Hafid Ait 84. Hao Linan 96. Yunxiang Wyx 61. Jack Whitton Chikh 85. Ajayanandctg 97. Zhang Cong 62. Pflashispunk 74. Stefan Kanthak 86. Alex Ionescu 98. Shernan 63. Dan Caselden 75. Klyin 87. John Page 99. Skylined 100. Rafal Wojtczuk Researcher Distribution Top Three in This Region
Software Vulnerabilities Software Services Regions Bounties Bounties 1) RCE Europe 33% 39% 2) EoP Asia 38% 25% 3) Security Feature Bypass North America 28% 26% Middle East 0% 8% South America 1% 2% Services Vulnerabilities
1) XSS (which lead to EoP) 2) Security Misconfiguration (which enable tampering/spoofing) 3) CSRF (which enable tampering/spoofing) Making It To The MSRC Top 100 List
MSRC has 1000s of finders across time Our top 100 finders report regularly Most have reported 1 bug over time The top 10 have reported Responsible for most of our Many times the 1 bug was a LOTS of bugs critical vulnerabilities duplicate Spend most of their time Discover 2+ novel security bugs A few more have reported 2-3 looking for bugs per year across time Many work for partner Still get regular duplicate companies reports (internally or externally known) Others are full-time bug hunters Penetration Testers Professional Bug Bounty hunters
The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100 CVD: Coordinated Vulnerability Disclosure
• We request that you keep customers secure by maintaining the confidentiality of the vulnerability report to MSRC • If you wish to discuss the vulnerability publically or blog about it, please wait till it has been fixed and patches have been released to customers • Preferably, blog or present the vulnerability 30 days after it has been patched. This gives customers enough time to take the patch • Never publish any exploit code (please ) • We are happy to provide technically review to any talks, white papers or blogs you are publishing
For additional information about this program: https://technet.microsoft.com/en-us/security/dn467923.aspx Take Action https://aka.ms/BugBounty 2. Identify the bounty 3. Report your findings to [email protected]
4. Give us your name and a good email to reach you at 5. Encrypt with our public key (if it’s a PoC or working exploit) 6. For eligible bounty cases, GET PAID! [email protected] – 2015 Stats One entry point for Security Vulnerability Reports
Always maintain CVD 1000s Bulletins released 135 CVEs fixed 527 [email protected] twitter.com/akilsrin Questions Aka.ms/BugBounty