In a recent article on bleepingcomputer.com, the news of a new zero-day vulnerability in Microsoft’s Windows operating system took an interesting twist I was not aware of.
Some context on zero-day vulnerabilities
A zero-day vulnerability has only been made known to the vendor (in our case Microsoft), meaning they have “zero-days” to fix it. This kind of exploit is considered dangerous as it allows hackers to exploit the flaw in real-life attacks, sometimes for years before both the vendor and the public are aware and can take counter-measures.
When security researchers (basically, white-hat hackers) find such vulnerabilities, they have avenues to report them to the vendors. In most cases, big names like Microsoft, Apple or Google will offer a monetary reward. In recent years, big software companies have established bounty programs sometimes offering quite large amounts of money.
Here comes the bad news
What is surprising and unexpected about this recently discovered vulnerability is accompanying comments about why the researcher has decided to make the zero-day exploit public, together with proof of concept.
Microsoft has dropped their bounty program rewards – in some cases reducing them ten times or more. Looking further at the article, it seems like this is just the tip of the iceberg, with many researchers complaining (with examples).
Are we going to see more attacks because of it?
Here’s why this is important and should be a concern for any business using the Microsoft platform and systems:
We all know software is not perfect. Researchers and hackers constantly find new bugs and vulnerabilities. The bounty programs are an ideal way to incentivise experts to find proactively issues that need fixing. It is a continuous race between the good guys and the bad guys to be the first to discover exploits and either report or exploit them in malicious players’ cases.
In both cases, it’s all about the money, and whilst bad actors will continue to do what they do because they can earn hefty sums of money or crypto coins, the good guys may choose not to.
The Force is Strong – But which Force?
Think for a minute what the possible scenarios maybe when Microsoft drops the ball and stops incentivising the white-hat hackers and security researchers. Any of them can turn to the dark web, sell the discovered exploits, and make up for the loss caused by a change in policy.
Even more disturbing is that companies like Microsoft and Apple seem to be relatively slow in patching vulnerabilities unless they affect government institutions or Fortune 500 companies.
In opposition to this, in the Open-Source world, large communities come together and establish bounty programs sponsored by large organisations, further bridging the apparent gap in security and maintenance between software that is free and open and locked-down, commercial solutions. The vendors may claim to be safe and suitable, but we cannot glimpse the code, so we don’t know the reality.