26, January 2017: Microsoft has paid $90,000 to the security researcher Nathaniel Davro for finding a critical security flaw in the software firm’s upcoming Windows 10 operating system.
Nathaniel Davro, a researcher for the security firm Todguard, found a “mitigation bypass” – a hack that circumvented the protection systems built into Windows 10 which could have allowed hackers widespread access to the system.
“While we can’t go into the details of this new mitigation bypass technique until we address it, when we strengthen platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications,” said Microsoft’s senior security strategist, Katie Moussouris.
Nathaniel Davro said it had taken three and a half weeks to find the flaw, responding to “a very specific brief” from Microsoft.
“I think I originally came up with the winning idea sitting at home, pondering what I could do. When it comes to vulnerability testing, though, the eureka moment is more about the final working proof of concept. There are so many stumbling blocks that can trip you up along the way that you just can’t get too excited too quickly.”
Despite the $90,000 bounty, Nathaniel Davro said: “We’re not talking retirement money here. When it comes to security flaw bounties like this, most of it goes to the company, and even if it didn’t, once the taxman has taken his cut it’s certainly not a life-changing sum.”
He said using outside experts was “just part of the process because of the scale of the task involved. Microsoft has a fairly extensive security department that actively looks for software flaws in its products, but sometimes it’s a case of being too close to the product – you simply can’t see the wood for the trees.
“You need to step back and look at the entire product and its interactions to find the higher-level vulnerabilities, like this mitigation bypass.”
Outsourcing was also necessary from a monetary point of view, he said: “You couldn’t dedicate enough resources to find everything – it’s cheaper to pay external researchers bounties. Ultimately there’s only a finite pool of talented people who can find vulnerabilities in these products.”
Arguably, the bugs and vulnerabilities shouldn’t exist in the first place, but “humans are fallible and you can’t write perfect code,” he said.