Katie MoussourisOvjeren akaunt

Since this is just focused on the last decade, we’ll skip the Netscape bounty of 1995, summarizing that the price was steady at $500 for 15 years, & go straight to Google’s launch of their first bug bounty against Chromium. $1337 was offered for bugs. Later that year, $3133.7 .pic.twitter.com/WjrM9BjrJH

That got some attention. Mozilla who continued the Netscape bug bounty, now against Firefox, raised their bounty to $3000. Why, if Netscape & then Mozilla had been doing this steadily for 15 years, was Google’s entry into paying for bugs a disruptive big deal? 2 reasons.pic.twitter.com/slHK0L29sZ

Prices going up from a previous high water mark was an obvious disruption - but not to offense market players, even though the false narrative was already starting back then that you needed to “compete” with the offense market for bugs if you made software Offense market be likepic.twitter.com/k5cRrOwrtA

The other disruption was Chrome itself. It was a brand new code base without big enterprise market share in 2010, & an update model that pushed silent patches. Internet Explorer had about 60% market share, Mozilla had about half that, & Chrome was only around 9% of the browsers.pic.twitter.com/yxMLOiwOwX

This was significant in it allowed Google much bolder moves in bug hunting & publicity from putting up cash. I was at Microsoft at the time & an exec had been quoted just 2 years prior saying that as long as he was there, MS would never pay for bugs. He’s still there, btw. pic.twitter.com/02Rdo2RZCB

I was about to take a job at Adobe but my managers convinced me to stay. Promotion? No. Raise? Nah. I stayed because they asked me to work on how to possibly do bug bounties at the biggest software company in the world. The one that receives the most bug reports of anyone, stillpic.twitter.com/vVf0ZAM2SA

So I embarked on that journey starting w MS bug & labor cost data. Number crunching to estimate bounty budget, labor cost increases, & help decide initial scope. The perfectly good 1st draft bug bounty would have checked a few boxes. Would’ve been biggest & covered more products.pic.twitter.com/jbgVsBSdR2

At the time, it would have cost less in $5000 bug bounties for all bugs rated “Critical or Important” for Windows, IE, & Office for the latest versions plus 2 versions going back, than a single emergency patch process (called a SSIRP). Avg SSIRP was ~$6M. $1.8M was all I neededpic.twitter.com/X83IXHwXgw

So why didn’t they pull the trigger in 2010? Even though we knew we wouldn’t prevent all SSIRPs (Software Security Incident Response Protocol), this seemed like an easy win, right? Because it wasn’t about money. It was about competing w a growing threat in the marketplace: Chromepic.twitter.com/0Wlm848wTb

Only I didn’t know that at the time. I also didn’t yet fully comprehend the massive politics that money couldn’t address fully: Who would pay for the increase in triage volume? MS Response already had high triage turnover MS already received >200,000 non-spam email messages/yearpic.twitter.com/BuJmaflIgG

I could keep this thread going longer w the Harvard biz professor-written economics papers, or MSR game theory papers that I commissioned over those next 2 years. While they played a part in shaping the bounties, none of them got MS to pay for what it was already getting for freepic.twitter.com/y2PlEQqlGs

So what changed in 2013 that allowed me to finally announce the 1st MS bug bounties? It happened back in 2011, after we had announced the largest defensive prize ever: $250,000 in prizes for new platform-wide technical exploit mitigations. What happened? Chrome overtook IE.pic.twitter.com/HTOTxUbBcT

We’d committed to run the BlueHat Prize for defense 1st tho. (Google totes hired one of the winners, lol, good one guys! ) But the bounty beast was still on my back to solve, so with my 12 slide deck, 1000 meetings later, I finally got a meeting w the head of IE April 4 2013pic.twitter.com/ArvHMquY3h

Not to recapitulate the thread I just quoted above, the move was strategic traffic shaping to get bugs early in the beta, instead of after beta was closed, which was generally bad for anyone. It was deadly for a browser in market share decline against fast-patching rival Chrome.pic.twitter.com/XJHjJqIBjy

Suddenly, we had money committed from the 1st targeted product team, & we’d built up additional internal staff capacity planning for increased labor costs in MSRC. IE set timing: We’d announce 1 week prior the IE11 beta release. June 19, 2013. June 5, this guy made headlines.pic.twitter.com/RTqSEpYRxm

Everyone in MS security was on strict lockdown, total media blackout, no spokespeople talking to reporters, even on unrelated security news we wanted to share. But the bounties couldn’t wait. So IE comms overruled TWC comms & thus, we were STILL ON to announce the bounties.pic.twitter.com/qugMIu68rL

Ok I am going to leave the Twitter poll open for a day, but I just have to laugh at the early results that have people’s interest in the rise of bug bounty platforms on par with their curiosity about my homegrown lettuce Maybe their investors should look into hydroponics.pic.twitter.com/vGbXFqkQIM

9 hours left to vote on the next installment of This Old Decade - Bug Bounty edition. I’m still kind of dying over here that my aeropod lettuce garden is still steadily dusting Rise of Bounty Platforms. The lettuce may well beat Regulatory Nincompoopery at this rate. pic.twitter.com/frZK8uixel

Poll results are in! A clear majority want to know what happened next chronologically, followed by regulatory nincompoopery, then a lettuce garden update, then the rise of bounty platforms. Where were we... Right about to announce the first MS bounties in Bangkok at midnightpic.twitter.com/nxxEpZY3cE

Why Bangkok at midnight? April to June (from getting the green light from IE to the announcement) wasn’t long, & I was already committed to speaking at the FIRST conference about upcoming ISO standards governing Vuln disclosure & handling processes. So we’d have to announce therepic.twitter.com/JBhIIRzCJt

I thought it polite to warn the FIRST board that I was about to do this radical change from my proposed ISO talk scheduled for the morning, so I briefed the chair of FIRST at the time, my friend Steve Adegbite. He & I shared it w the rest of the board, some of whom WERE FURIOUS.pic.twitter.com/5WtdooC8YU

The FIRST board contains employees of the largest companies. One of them said “How dare you break ranks & start paying?” I responded by saying I’d be happy to help him w talking points about why his company wasn’t doing bug bounties. I don’t think he heard me through the rage.pic.twitter.com/P4rxicMZXp

Here’s a good time to talk about fear. He wasn’t wrong to be afraid of what this meant for other companies of Microsoft’s size & age. MS had over 800 supported products, services, & even hardware, & tons of legacy code & hard to fix dependencies - & that was just current versionspic.twitter.com/jztXolggpD

Remember how Google got to start their bug bounty on a single new product w no legacy code & not enough browser market share to make it very risky for them then? Yeah, completely different set of problems for older orgs. So I designed the IE beta bounty & mitigation bypass bountypic.twitter.com/4n6I8hQeRF

We set the mitigation bypass bounty at $100,000, the same top prize offered the same year at the @Pwn2Own_Contest . One of the fears expressed by MS internally & this FIRST board member seething at me hours before we announced, was prices increasing past the point of feasibility.pic.twitter.com/bD6mrQHDxJ

We’ll get to the current million dollar bounties later. Sticking to chronological order, now I had to wait for 10 AM Redmond time, when my blogs & the official page with the bounty rules would go live. I was in Bangkok. Who did I know in Bangkok? My friend @thegrugq , that’s who!pic.twitter.com/ZI7WczFtqB

My friends @l33tdawg & @BelindaChoong flew from Malaysia to check out FIRST, so after drinks w @thegrugq , @ChrisJohnRiley , & @mckeay , we headed back to my room to wait for the crack of midnight. I called @dakami @0xcharlie @dinodaizovi & a couple others right before announcingpic.twitter.com/hhuuutK1qK