The long road from Code Red to Microsoft’s bug bounties

Here’s some historical context that puts into perspective Microsoft’s concession to finally begin paying bug bounties.

Back in June 2001, Marc Maiffret discovered a gaping security hole in Microsoft’s IIS software, used to serve up Web pages, and dutifully informed the company about it. All Maiffret received was acknowledgment from the company that the flaw existed, once Microsoft had a patch ready.

A few weeks later, Maiffret’s career arch took a steep climb. Swigging cases of Code Red Mountain Dew, Maiffret and a few cohorts uncovered an automated program snaking around the Internet in search of unpatched IIS Web servers. Each time the program found one, it posted “HELLO! Hacked By Chinese!” on the Web page.

Maiffret christened the program Code Red, a reference to the Asian defacement “and because Code Red Mountain Dew was the only thing that kept us awake while we disassembled the exploit,” Maiffret told me for my 2008 book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, co-authored with Jon Swartz.

Code Red compromised 225,000 IIS Web servers in half a day and would linger on the Internet for years, breaking into millions of PCs. And it established a model for what would become a familiar cycle. Vulnerability researchers would find a fresh security hole; Microsoft would issue a patch; black hats would race to exploit as many PCs as possible before the patch got widely distributed.

Maiffret’s vulnerability research firm, eEye Digital, thrived. It was acquired last year by BeyondTrust, where he currently serves as chief technical officer. CyberTruth caught up with him between client meetings for a few quick questions.

CT: Why do you think Microsoft has lagged so far behind Google and Mozilla in paying bounties to grey and white hat researchers?

Maiffret: Microsoft had taken a stance against bug bounties a few years ago and I think it has taken them time and some internal struggle to finally come to terms with changing their position.

CT: Why do you think Microsoft has finally come around?

Maiffret: I think they realize there can be a lot of value in such programs but also I think they have found a balance to a bug bounty program that they think works for them vs. some of the more broad bug bounty programs that other software companies have. Microsoft’s is a bit more narrow in focus currently, but it is only the beginning.

CT: How would your life be different if Microsoft was paying a bounty like this when you discovered Code Red?

Maiffret: The goals that my research team and I had during those days were to wake-up Microsoft and other companies to take security seriously. I think we accomplished that goal and are still seeing the ripple effects even to today with announcements such as this. Had Microsoft been making decisions like this way back then than things would have been very different. We probably would have been able to sleep a lot more and received a few less nasty phone calls.

CT: Anything else?

Maiffret: It is important people understand that this new bug bounty program from Microsoft is not an overall bug bounty program but rather one focused on very specific bugs and security bypasses that are of top priority for Microsoft. So while it is a good step in the right direction, there is certainly still a more formal bug bounty program that can be put in place.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone