Security Program Manager in the MSRC- Bug Bounty- Outreach to the Security Research and Partner Community- Security Conference Sponsorship- Security Vulnerability Management aka Case Management

In the past a Microsoft Developer Consultant working with ourhardware and software partners

I graduated from Georgia Institute of Technology with a bachelors in Electrical Engineering

In my spare time, I enjoy playing basketball and watching anime

Bounty Programs

Microsoft Bounty Programs

A bug bounty is a program set up to identify criteria around what someone will pay for reporting bugs• Microsoft is focused on security vulnerabilities

Various parties offer bounties for software and services bugs• Those who write the code (Microsoft, Google, Facebook, Yahoo! etc…)

• Agents of those who write the code BugCrowd, HackerOne, SynAck, etc…)

• Concerned parties who use the code Internet Bug Bounty Github, etc…)

• Vulnerability resellers (Zerodium, Zeronomicon

Microsoft Bounty Programs Old and NewProgram Maximum Bounty Duration Active/Closed

Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active

.NET Core and ASP.NET Core $15,000 Sustained Active

Online Services (O365 and Azure) $15,000 Sustained Active

Mitigation Bypass $100,000 Sustained Active

Bounty for Defense $100,000 Sustained Active

.NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed

Nano Server TP5 $15,000 Ended 29 July Closed

ASP.NET and CoreCLR (part 1) $15,000 2015 Closed

Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed

BlueHat Prize $100,000 2013 Closed

New Microsoft Bounty Programs

• Microsoft Edge Web Platform Bug Bounty

• Microsoft .NET Core and ASP.NET Core Bug Bounty

https://blogs.technet.microsoft.com/msrc/

Microsoft Edge Beta Web Platform Bounty (Part 2)

W3C standards

• The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build

• Program runs Aug 4, 2016 to May 15, 2017

• Microsoft will pay up to

$1,500 USD for the

first report received on an

internally known issue

Vulnerability TypePayout Range

(USD) *

Remote Code Execution in Microsoft Edge on

recent builds of WIP slowUp to $15,000

Violations of W3C standards that compromise

privacy or integrity of important user data.

This includes:

Violation of SoP, i.e. UXSS

Referrer spoofs

This does not include:

XSS, CSRF: report these to the web site owner

XSS filter bypass

Up to $6,000

For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx

Edge Attack Surface ReductionWith the Edge browser, we also seized the opportunity to drastically reduce the attack surface exposed to the web

• No legacy document modes

• No legacy script engines (VBScript, JScript)

• No Vector Markup Language (VML)

• No Toolbars

• No Browser Helper Objects (BHOs)

• No ActiveX controls

81

22

47

34

0 50 100 150

Internet Explorer

Edge

H1 (Aug 2015 - Jan 2016)

H2 (Feb 2016 - Jul 2016)

.NET Core and ASP.NET Core Bug Bounty

• Vulnerabilities in the latest available .NET builds

• Program began September 1, 2016 (continuous)

• All bugs have to reproduce in the latest beta or release

candidates to qualify

• Pays up to $15,000 USDVulnerability type Payout range (USD)

Remote Code Execution $15,000 to $1,500

Security Design Flaw $10,000 to $1,500

Elevation of Privilege $10,000 to $5,000

Remote DoS $5,000 to $2,500

Tampering / Spoofing $5,000 to $500

Information Leaks $2,500 to $750

Template CSRF or XSS $2,000 to $500

For additional information about this program: https://technet.microsoft.com/en-us/mt764065

$500 to $15,000 USD

Online Services Bug Bounty ProgramO365 + Azure

For additional information about this program: https://technet.microsoft.com/en-us/dn800983

Hyper-V escapes that will receive a bounty

Up to $100,000 USD

Hyper-V

For additional information about this program: https://technet.microsoft.com/en-us/dn425049

novel mitigation bypass defense idea that would block an exploitation

Up to $200,000 (Mit. Bypass + Bounty for Defense)

Mitigation Bypass and Bounty for Defense

For additional information about this program: https://technet.microsoft.com/en-us/dn425049

Eliminating classes of vulnerabilities

We move beyond the “hand-to-hand combat” of finding and fixing individual issues by identifying ways to eliminate entire classes of

vulnerabilities

Goal: Increase attacker cost of finding exploitable vulnerabilities

We Closely Study Vulnerability Root Cause Trends

8 12 11 1831 27 28

102 181

133

26

13 13

21 30

24 13

15

1818

45

19

912

912

19 1811

3

3

23

31

0 1

310

24 1

520

18111 1

0 1 21 3

3 1729 13

2 4

2 3 31 3 4 6 11 5

8 104 6 6 3 1 1 2 1 1

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Use After Free Heap Corruption Other Type Confusion

Heap OOB Read Uninitialized Use Stack Corruption

2418 19 25

6143

25

21 18 18

9793 114 130

157156

116

266 282 396

0%5%

10%15%20%25%30%35%40%45%50%55%60%65%70%75%80%85%90%95%

100%

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Patch Year

% of Microsoft RCE & EOP CVEs exploited

within 30 days of patch

Exploited within 30 days of patch Not known to be exploited

Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments

121111

133

155

218

199

141

287

300

414

0

50

100

150

200

250

300

350

400

450

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

# o

f C

VEs

Patch Year

# of Microsoft RCE/EOP CVEs by patch year

Total Linear (Total)

Analysis: High-level Vulnerability & Exploit Trends

Measuring The Impact Of Our Strategy So Far

• The number of Microsoft vulnerabilities exploited within 30 days of a patch has continued to decline year over year despite increases in the number of vulnerabilities being addressed each year

• In the last two years, no zero day exploits for Microsoft RCE vulnerabilities have been found in-the-wild that work against Internet Explorer 11 on Windows 8.1+

• Since releasing Edge one year ago, there have been no zero day exploits found in-the-wild targeting Edge

Success Story: Internet Explorer

1/1/2014 1/1/20164/1/2014 7/1/2014 10/1/2014 1/1/2015 4/1/2015 7/1/2015 10/1/2015

5/1/2014 - 5/13/2014

CVE-2014-1815

4/23/2014 - 5/1/2014

CVE-2014-1776

2/12/2014 - 3/11/2014

CVE-2014-03222/19/2014 - 3/11/2014

CVE-2014-0324

6/8/2014

Use-After-Free hardening v1

7/6/2014

Use-After-Free hardening v2

8/3/2014

Out-of-Date Java Blocking

11/7/2014

CFG Windows 8.1 Shipped (Optional Update) 2/11/2015

CFG for Windows 8.1 Shipped (Default)

0day exploit in Internet Explorer

New Internet Explorer Security Feature

10/1/2015

MemGC IE 11

8/18/2015

CVE-2015-2502

7/5/2015

Type Protector Shipped

Year Zero Day RCE

CVE

2013

2014

2015

• A focus on mitigations for disruption of invariant techniques used in exploits (ROP, Heap Spraying, UAF)

• In 2015 only 6 days with a known zero day Internet Explorer RCE exploit in-the-wild (previously 135 days, then 45 days)

• Vulnerability volume has increased but number of zero day exploits has decreased

8

4

1

Software Bug Bounty Program

Security Vulnerability Impacts and Payouts

Bypassing existing mitigations in the

OS or Browser$100,000

Hyper-V escapes $100,000

Remote Code Execution $15,000

Elevation of Privileges $10,000

Security Design Flaws $10,000

Tampering/Spoofing $5,000

Remote DoS $5,000

Information Disclosure $2,500

Payout range is: $500 to $100,000 USD

We pay the highest bounties for:

1) High quality reports

• POC

• Detailed write up

2) High impact bugs

Online Services Bug Bounty Program

Security Vulnerability TypesXSS

CSRF

Authentication vulnerabilities

Privilege escalation

Injection Vulnerabilities

Insecure direct object reference

Unauthorized cross tenant access or tampering

Server-side code execution

Significant security misconfiguration

Payout range is: $500 to $15,000 USD (with 2x bounties up to $30,000)

The highest bounties can be earned

on:

1. Authentication Vulnerabilities –

Oauth, SAML 2.0 related bugs

2. Privilege Escalations

3. XSS and CSRF (on high traffic,

high impact sites)

• Mitigation Bypass, Bounty for Defense and BlueHat Prize> $600,000 USD

• Online Services Bug Bounty > $400,000 USD

• Software Bounties

> $200,000 USD

Bounties Paid To Date

Finder Appreciation and Retention (FAR)

BlueHat invitations and

speaking opportunities

Private Microsoft party

invites at various

conferences

Bountycraft invitations

Get hired by Microsoft

Unique

Opportunities

At conferences we

award top finders with

MSDN licenses,

customized Surface

Pro laptops, Surface

Books and other

hardware

This will continue to

grow

Rewards

Bounties are offered

across a number of

Microsoft products

This will continue to

grow

Bounty

Credit to finders in the

form of CVE number

attribution, and a

formal thanks in the KB

articles

This will continue

Credit

For more information:

• https://technet.microsoft.com/

en-us/security/mt767986

• https://technet.microsoft.com/

en-us/security/dn469163

• https://technet.microsoft.com/

en-us/security/dn469163

Top 100 Finders for 2016

1. ZDI - Disclosures

2. Richard Shupak

3. Mateusz Jurczyk

4. I - Defense

5. Steven Vittitoe

6. Bo Qu

7. Tyan

8. Zheng Huang

9. Peter Allor

10. Chenxuebin

11. Liu Long

12. Zhang Yunhai

13. Haifei Li

14. Yu Yang

15. Moritz Jodeit

16. Jack Tang

17. Henry Li

18. Linan Hao

19. XLAB - Tencent

20. Kai Kang

21. Cameron Dawe

22. Suwei Chen

23. Adobe PSIRT

24. Shi Ji

25. James Forshaw

26. Ben Hawkes

27. Zhoujp

28. Mgchoi

29. Atte Kettunen

30. Lucas Leong

31. Kai Song aka Exp-Sky (Tencent)

32. Mbarbella

33. Fortinet

34. Nicolas Dolgin

35. Chris Evans

36. Zer0mem

37. Dhanesh Kizhakkinan

38. Taylor Woll

39. Hui Gao

40. Wenxiang Qian

41. Jaanus Kaap

42. Richard Warren

43. Robert Gawlik

44. Lvbluesky

45. Noamr

46. Zhong She Fang

47. Adi Ivascu

48. Karim Valiev

49. Nicolas Gregoire

50. Jaehun Jeong

Top 100 Finders for 2016

51. Cert-CC

52. Fanxiaocao

53. Yangkang3

54. Tongbo Luo

55. Tigonlab

56. Nesk

57. Fuzzers

58. Chendongli

59. Winsonliu

60. Zhengwen Bin

61. Jack Whitton

62. Pflashispunk

63. Dan Caselden

64. Luciano Corsalini

65. Fengzhi Yong

66. Mario Heiderich

67. Yorick Koster

68. Sourceincite

69. Lu

70. Saurabh Pundir

71. Udi Yavo

72. Rodolfo Godalle

73. Abdel Hafid Ait

Chikh

74. Stefan Kanthak

75. Klyin

76. Eric Lawrence

77. Scott Bell

78. Sebastien Morin

79. Nicolas Joly

80. Li Kemeng

81. Michail Bolshov

82. Mustafa Hasan

83. Th3proinfor

matique

84. Hao Linan

85. Ajayanandctg

86. Alex Ionescu

87. John Page

88. Costin Raiu

89. Bingchang Liu

90. Hamza Bettache

91. Kostya

Kortchinsky

92. Ivan Grigorov

93. Is4curity

94. Anatolii Bench

95. Mandeep Jadon

96. Yunxiang Wyx

97. Zhang Cong

98. Shernan

99. Skylined

100. Rafal Wojtczuk

Researcher Distribution

RegionsSoftware

Bounties

Services

Bounties

Europe 33% 39%

Asia 38% 25%

North America 28% 26%

Middle East 0% 8%

South America 1% 2%

Top Three in This Region

Software Vulnerabilities

1) RCE2) EoP3) Security Feature Bypass

Services Vulnerabilities

1) XSS (which lead to EoP)2) Security Misconfiguration

(which enable tampering/spoofing)

3) CSRF (which enable tampering/spoofing)

Making It To The MSRC Top 100 List

The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100

MSRC has 1000s of finders across time

Most have reported 1 bug over

time

Many times the 1 bug was a

duplicate

A few more have reported 2-3

across time

Our top 100 finders report regularly

Responsible for most of our

critical vulnerabilities

Discover 2+ novel security bugs

per year

Still get regular duplicate

reports (internally or externally

known)

The top 10 have reported

LOTS of bugs

Spend most of their time

looking for bugs

Many work for partner

companies

Others are full-time bug hunters

Penetration Testers

Professional Bug Bounty hunters

CVD: Coordinated Vulnerability Disclosure

• We request that you keep customers secure by maintaining the

confidentiality of the vulnerability report to MSRC

• If you wish to discuss the vulnerability publically or blog about it, please

wait till it has been fixed and patches have been released to customers

• Preferably, blog or present the vulnerability 30 days after it has been

patched. This gives customers enough time to take the patch

• Never publish any exploit code (please )

• We are happy to provide technically review to any talks, white papers or

blogs you are publishing

For additional information about this program: https://technet.microsoft.com/en-us/security/dn467923.aspx

https://aka.ms/BugBounty

2. Identify the bounty

3. Report your findings to secure@microsoft.com

4. Give us your name and a good email to reach you at

5. Encrypt with our public key (if it’s a PoC or working exploit)

6. For eligible bounty cases, GET PAID!

Take Action

Always maintain CVD1000s

Secure@Microsoft.com – 2015 StatsOne entry point for Security Vulnerability Reports

Bulletins released 135

CVEs fixed 527

Questionsakila.srinivasan@microsoft.com

twitter.com/akilsrinAka.ms/BugBounty