Before you get too excited thinking this is a wanted poster in the criminal sense; it is not. It is an offer from Microsoft to pay a “bounty” to hackers who discover and document security flaws in its Identity Services software. So, crime pays? No, this is white hat hacking, and no crimes are being committed.
White hat hackers are security researchers and others who test software, firmware, and other computer tech to identify flaws that can be turned into exploits by the bad actors, or “black hat” hackers. These good guys of the “hackiverse” work to counteract the efforts of their nefarious counterparts. Sometimes the good guys steal a march on the bad guys and find flaws before they become problems for millions of computer users around the world.
A reasonable quest to ask is, “Why doesn’t Microsoft do this type of research themselves? Wouldn’t it be cheaper?” Of course, it would be cheaper, but software and hardware developers have proven over the last few years that they don’t or can’t find the flaws. Some of it comes from the “can’t see the forest for the trees” effect. Developers are so close to the tech that they become blind to flaws. Another contributing factor is the sheer complexity of software and hardware. A third contributor can be pressure to meet release dates.
What they need are fresh eyes and minds taking apart their products in a real-world setting. The white hat hackers apply various tools and techniques to see what happens. They are people free to make things break, just what developers need.
An article in Hacker News goes into the details of the Microsoft Identity Bounty Program. Microsoft is trying to create software that eliminates the ability to compromise and use the digital identities of users. If they can secure this piece of the puzzle, Microsoft severely limits the value of any data stolen. It is the digital identity that gives stolen data maximum value on the dark web.
The payout range is from $500 to USD 100,000. Microsoft has set up specific criteria and conditions that determine how much each flaw submitted earns. The submittal must attack certain pieces of software related to creating and protecting digital identities and must be fully documented in a manner that allows replication by Microsoft.
Not being blessed with the mad coding skills of either white hat or black hat hackers, I cannot comment on how the bounty amounts are enough to entice people into trying to earn them. The amounts seem attractive, but I can imagine the value of stolen data exceeding the bounties by a fair amount, even if they score these sales with less frequency.
Perhaps this will spark a trend and encourage action on the part of the good actors. It will be nice to see our side beating the bad guys to the punch more often.
In the meantime, you can trust the security of your digital identity and data when communicating via the internet to the CRIP.TO end-to-end encryption solution. We use a unique recipe of encryption algorithms and custom hardware to provide the highest level of secured communications available to individuals, groups, and companies.
We all deserve the freedom to communicate fearlessly, free from worry over hackers or others intercepting and decrypting our messages, identities, and data. With CRIP.TO you get that freedom. Check us out to learn how.