Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Akila srinivasan microsoft-bug_bounty-(publish)

603 views

Published on

PacSec2016

Published in: Internet
  • Be the first to comment

Akila srinivasan microsoft-bug_bounty-(publish)

  1. 1. Security Program Manager in the MSRC - Bug Bounty - Outreach to the Security Research and Partner Community - Security Conference Sponsorship - Security Vulnerability Management aka Case Management In the past a Microsoft Developer Consultant working with our hardware and software partners I graduated from Georgia Institute of Technology with a bachelors in Electrical Engineering In my spare time, I enjoy playing basketball and watching anime
  2. 2. Bounty Programs
  3. 3. Microsoft Bounty Programs A bug bounty is a program set up to identify criteria around what someone will pay for reporting bugs • Microsoft is focused on security vulnerabilities Various parties offer bounties for software and services bugs • Those who write the code (Microsoft, Google, Facebook, Yahoo! etc…) • Agents of those who write the code BugCrowd, HackerOne, SynAck, etc…) • Concerned parties who use the code Internet Bug Bounty Github, etc…) • Vulnerability resellers (Zerodium, Zeronomicon
  4. 4. Microsoft Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active .NET Core and ASP.NET Core $15,000 Sustained Active Online Services (O365 and Azure) $15,000 Sustained Active Mitigation Bypass $100,000 Sustained Active Bounty for Defense $100,000 Sustained Active .NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed Nano Server TP5 $15,000 Ended 29 July Closed ASP.NET and CoreCLR (part 1) $15,000 2015 Closed Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed BlueHat Prize $100,000 2013 Closed
  5. 5. New Microsoft Bounty Programs • Microsoft Edge Web Platform Bug Bounty • Microsoft .NET Core and ASP.NET Core Bug Bounty https://blogs.technet.microsoft.com/msrc/
  6. 6. Microsoft Edge Beta Web Platform Bounty (Part 2) W3C standards • The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build • Program runs Aug 4, 2016 to May 15, 2017 • Microsoft will pay up to $1,500 USD for the first report received on an internally known issue Vulnerability Type Payout Range (USD) * Remote Code Execution in Microsoft Edge on recent builds of WIP slow Up to $15,000 Violations of W3C standards that compromise privacy or integrity of important user data. This includes:  Violation of SoP, i.e. UXSS  Referrer spoofs This does not include:  XSS, CSRF: report these to the web site owner  XSS filter bypass Up to $6,000 For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx
  7. 7. Edge Attack Surface Reduction With the Edge browser, we also seized the opportunity to drastically reduce the attack surface exposed to the web • No legacy document modes • No legacy script engines (VBScript, JScript) • No Vector Markup Language (VML) • No Toolbars • No Browser Helper Objects (BHOs) • No ActiveX controls 81 22 47 34 0 50 100 150 Internet Explorer Edge H1 (Aug 2015 - Jan 2016) H2 (Feb 2016 - Jul 2016)
  8. 8. .NET Core and ASP.NET Core Bug Bounty • Vulnerabilities in the latest available .NET builds • Program began September 1, 2016 (continuous) • All bugs have to reproduce in the latest beta or release candidates to qualify • Pays up to $15,000 USD Vulnerability type Payout range (USD) Remote Code Execution $15,000 to $1,500 Security Design Flaw $10,000 to $1,500 Elevation of Privilege $10,000 to $5,000 Remote DoS $5,000 to $2,500 Tampering / Spoofing $5,000 to $500 Information Leaks $2,500 to $750 Template CSRF or XSS $2,000 to $500 For additional information about this program: https://technet.microsoft.com/en-us/mt764065
  9. 9. $500 to $15,000 USD Online Services Bug Bounty Program O365 + Azure For additional information about this program: https://technet.microsoft.com/en-us/dn800983
  10. 10. Hyper-V escapes that will receive a bounty Up to $100,000 USD Hyper-V For additional information about this program: https://technet.microsoft.com/en-us/dn425049
  11. 11. novel mitigation bypass defense idea that would block an exploitation Up to $200,000 (Mit. Bypass + Bounty for Defense) Mitigation Bypass and Bounty for Defense For additional information about this program: https://technet.microsoft.com/en-us/dn425049
  12. 12. Eliminating classes of vulnerabilities We move beyond the “hand-to-hand combat” of finding and fixing individual issues by identifying ways to eliminate entire classes of vulnerabilities Goal: Increase attacker cost of finding exploitable vulnerabilities
  13. 13. We Closely Study Vulnerability Root Cause Trends 8 12 11 18 31 27 28 102 181 133 26 13 13 21 30 24 13 15 18 18 45 19 9 12 9 12 19 18 11 3 3 23 31 0 1 3 10 2 4 1 5 20 18 111 1 0 1 2 1 3 3 17 29 13 2 4 2 3 3 1 3 4 6 11 5 8 10 4 6 6 3 1 1 2 1 1 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Use After Free Heap Corruption Other Type Confusion Heap OOB Read Uninitialized Use Stack Corruption
  14. 14. 24 18 19 25 61 43 25 21 18 18 97 93 114 130 157 156 116 266 282 396 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 65% 70% 75% 80% 85% 90% 95% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Patch Year % of Microsoft RCE & EOP CVEs exploited within 30 days of patch Exploited within 30 days of patch Not known to be exploited Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments 121 111 133 155 218 199 141 287 300 414 0 50 100 150 200 250 300 350 400 450 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 #ofCVEs Patch Year # of Microsoft RCE/EOP CVEs by patch year Total Linear (Total) Analysis: High-level Vulnerability & Exploit Trends
  15. 15. Measuring The Impact Of Our Strategy So Far • The number of Microsoft vulnerabilities exploited within 30 days of a patch has continued to decline year over year despite increases in the number of vulnerabilities being addressed each year • In the last two years, no zero day exploits for Microsoft RCE vulnerabilities have been found in-the-wild that work against Internet Explorer 11 on Windows 8.1+ • Since releasing Edge one year ago, there have been no zero day exploits found in-the- wild targeting Edge
  16. 16. Success Story: Internet Explorer 1/1/2014 1/1/2016 4/1/2014 7/1/2014 10/1/2014 1/1/2015 4/1/2015 7/1/2015 10/1/2015 5/1/2014 - 5/13/2014 CVE-2014-1815 4/23/2014 - 5/1/2014 CVE-2014-1776 2/12/2014 - 3/11/2014 CVE-2014-03222/19/2014 - 3/11/2014 CVE-2014-0324 6/8/2014 Use-After-Free hardening v1 7/6/2014 Use-After-Free hardening v2 8/3/2014 Out-of-Date Java Blocking 11/7/2014 CFG Windows 8.1 Shipped (Optional Update) 2/11/2015 CFG for Windows 8.1 Shipped (Default) 0day exploit in Internet Explorer New Internet Explorer Security Feature 10/1/2015 MemGC IE 11 8/18/2015 CVE-2015-2502 7/5/2015 Type Protector Shipped Year Zero Day RCE CVE 2013 2014 2015 • A focus on mitigations for disruption of invariant techniques used in exploits (ROP, Heap Spraying, UAF) • In 2015 only 6 days with a known zero day Internet Explorer RCE exploit in-the-wild (previously 135 days, then 45 days) • Vulnerability volume has increased but number of zero day exploits has decreased 8 4 1
  17. 17. Software Bug Bounty Program Security Vulnerability Impacts and Payouts Bypassing existing mitigations in the OS or Browser $100,000 Hyper-V escapes $100,000 Remote Code Execution $15,000 Elevation of Privileges $10,000 Security Design Flaws $10,000 Tampering/Spoofing $5,000 Remote DoS $5,000 Information Disclosure $2,500 Payout range is: $500 to $100,000 USD We pay the highest bounties for: 1) High quality reports • POC • Detailed write up 2) High impact bugs
  18. 18. Online Services Bug Bounty Program Security Vulnerability Types XSS CSRF Authentication vulnerabilities Privilege escalation Injection Vulnerabilities Insecure direct object reference Unauthorized cross tenant access or tampering Server-side code execution Significant security misconfiguration Payout range is: $500 to $15,000 USD (with 2x bounties up to $30,000) The highest bounties can be earned on: 1. Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs 2. Privilege Escalations 3. XSS and CSRF (on high traffic, high impact sites)
  19. 19. • Mitigation Bypass, Bounty for Defense and BlueHat Prize > $600,000 USD • Online Services Bug Bounty > $400,000 USD • Software Bounties > $200,000 USD Bounties Paid To Date
  20. 20. Finder Appreciation and Retention (FAR) BlueHat invitations and speaking opportunities Private Microsoft party invites at various conferences Bountycraft invitations Get hired by Microsoft Unique Opportunities At conferences we award top finders with MSDN licenses, customized Surface Pro laptops, Surface Books and other hardware This will continue to grow Rewards Bounties are offered across a number of Microsoft products This will continue to grow Bounty Credit to finders in the form of CVE number attribution, and a formal thanks in the KB articles This will continue Credit For more information: • https://technet.microsoft.com/ en-us/security/mt767986 • https://technet.microsoft.com/ en-us/security/dn469163 • https://technet.microsoft.com/ en-us/security/dn469163
  21. 21. Top 100 Finders for 2016 1. ZDI - Disclosures 2. Richard Shupak 3. Mateusz Jurczyk 4. I - Defense 5. Steven Vittitoe 6. Bo Qu 7. Tyan 8. Zheng Huang 9. Peter Allor 10. Chenxuebin 11. Liu Long 12. Zhang Yunhai 13. Haifei Li 14. Yu Yang 15. Moritz Jodeit 16. Jack Tang 17. Henry Li 18. Linan Hao 19. XLAB - Tencent 20. Kai Kang 21. Cameron Dawe 22. Suwei Chen 23. Adobe PSIRT 24. Shi Ji 25. James Forshaw 26. Ben Hawkes 27. Zhoujp 28. Mgchoi 29. Atte Kettunen 30. Lucas Leong 31. Kai Song aka Exp- Sky (Tencent) 32. Mbarbella 33. Fortinet 34. Nicolas Dolgin 35. Chris Evans 36. Zer0mem 37. Dhanesh Kizhakkinan 38. Taylor Woll 39. Hui Gao 40. Wenxiang Qian 41. Jaanus Kaap 42. Richard Warren 43. Robert Gawlik 44. Lvbluesky 45. Noamr 46. Zhong She Fang 47. Adi Ivascu 48. Karim Valiev 49. Nicolas Gregoire 50. Jaehun Jeong
  22. 22. Top 100 Finders for 2016 51. Cert-CC 52. Fanxiaocao 53. Yangkang3 54. Tongbo Luo 55. Tigonlab 56. Nesk 57. Fuzzers 58. Chendongli 59. Winsonliu 60. Zhengwen Bin 61. Jack Whitton 62. Pflashispunk 63. Dan Caselden 64. Luciano Corsalini 65. Fengzhi Yong 66. Mario Heiderich 67. Yorick Koster 68. Sourceincite 69. Lu 70. Saurabh Pundir 71. Udi Yavo 72. Rodolfo Godalle 73. Abdel Hafid Ait Chikh 74. Stefan Kanthak 75. Klyin 76. Eric Lawrence 77. Scott Bell 78. Sebastien Morin 79. Nicolas Joly 80. Li Kemeng 81. Michail Bolshov 82. Mustafa Hasan 83. Th3proinfor matique 84. Hao Linan 85. Ajayanandctg 86. Alex Ionescu 87. John Page 88. Costin Raiu 89. Bingchang Liu 90. Hamza Bettache 91. Kostya Kortchinsky 92. Ivan Grigorov 93. Is4curity 94. Anatolii Bench 95. Mandeep Jadon 96. Yunxiang Wyx 97. Zhang Cong 98. Shernan 99. Skylined 100. Rafal Wojtczuk
  23. 23. Researcher Distribution Regions Software Bounties Services Bounties Europe 33% 39% Asia 38% 25% North America 28% 26% Middle East 0% 8% South America 1% 2% Top Three in This Region Software Vulnerabilities 1) RCE 2) EoP 3) Security Feature Bypass Services Vulnerabilities 1) XSS (which lead to EoP) 2) Security Misconfiguration (which enable tampering/spoofing) 3) CSRF (which enable tampering/spoofing)
  24. 24. Making It To The MSRC Top 100 List The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100 MSRC has 1000s of finders across time Most have reported 1 bug over time Many times the 1 bug was a duplicate A few more have reported 2-3 across time Our top 100 finders report regularly Responsible for most of our critical vulnerabilities Discover 2+ novel security bugs per year Still get regular duplicate reports (internally or externally known) The top 10 have reported LOTS of bugs Spend most of their time looking for bugs Many work for partner companies Others are full-time bug hunters Penetration Testers Professional Bug Bounty hunters
  25. 25. CVD: Coordinated Vulnerability Disclosure • We request that you keep customers secure by maintaining the confidentiality of the vulnerability report to MSRC • If you wish to discuss the vulnerability publically or blog about it, please wait till it has been fixed and patches have been released to customers • Preferably, blog or present the vulnerability 30 days after it has been patched. This gives customers enough time to take the patch • Never publish any exploit code (please  ) • We are happy to provide technically review to any talks, white papers or blogs you are publishing For additional information about this program: https://technet.microsoft.com/en-us/security/dn467923.aspx
  26. 26. https://aka.ms/BugBounty 2. Identify the bounty 3. Report your findings to secure@microsoft.com 4. Give us your name and a good email to reach you at 5. Encrypt with our public key (if it’s a PoC or working exploit) 6. For eligible bounty cases, GET PAID! Take Action
  27. 27. Always maintain CVD 1000s Secure@Microsoft.com – 2015 Stats One entry point for Security Vulnerability Reports Bulletins released 135 CVEs fixed 527
  28. 28. Questions akila.srinivasan@microsoft.com twitter.com/akilsrin Aka.ms/BugBounty

×