Last week at BlueHat’s “MSRC Listens” session, I took the stage with Mechele Gruhn, manager of the Vulnerability Response PM team, to explain how MSRC is changing our communication, workflows, and tooling to deliver an improved user experience for our partners in the security research community. We promised to communicate more about what’s happening in the MSRC that affects our customers and research partners.
We weren’t expecting to get an opportunity to demonstrate this commitment quite so soon.
Back in June 2018, Microsoft updated the terms and conditions of our mitigation bypass bounty. As Joe Bialek of MSRC’s Vulnerabilities & Mitigations Team explained in a blog about the scope change, we’ve learned a lot from the great research into CFG bypasses and what we need to do to harden it, so we removed it from the list of targets. However, when MSRC migrated to a new website in August we accidentally published the old bounty terms, not the most current ones. We discovered this during BlueHat, when mitigation bypass researchers Alex Ionescu and Yunhai Zhang pointed out that CFG had re-entered the list of in-scope targets and asked if this was intentional.
Today, we’re updating the terms of the mitigation bypass bounty to remove CFG (again). If you submitted an eligible report of a CFG mitigation bypass between August 7, 2018 and today, we will evaluate the submission under the bounty terms that were published at the time of your submission.
We also see a clear opportunity to make other improvements to increase the transparency of bounty scope changes in the future.
- First, we’ll bring back change logging on the page describing each bounty, just as we do today for our security update documentation.
- Second, we’ll add the last edited date to the page of currently active bounty programs.
Both changes should make it easier for any researcher to determine the exact terms of the bounty both at the time they made their report, and at the time a fix is shipped. We plan to implement both of these changes in the coming weeks.
This is hard. We all want to get things right the first time and it’s embarrassing to admit it when we don’t. But having made this commitment at BlueHat, we will honor it: this is what happened, this is how we plan to avoid it in future, and this is what we’ll do to fix it today.
Principal Security PM Manager
MSRC Community Programs
With contributions from: Christa Anderson, Matt Miller, & Matthew Dressman