‘Embrace the red’: Microsoft puts up another $4M for cloud and AI bugs in broader security push
If security is really more important than everything else, will it be in the keynote? Microsoft, under intense pressure to better protect its systems and customers from cyberattacks, will answer that question by giving its top security execs a prime spot on stage Tuesday morning at its annual Ignite conference for IT pros in Chicago. One of their announcements: a new $4 million bug bounty program, representing an additional pool of money to be shared among security researchers who identify holes in Microsoft’s cloud and AI systems. It’s part of a new initiative and planned 2025 hacking event in Redmond… Read More
If security is really more important than everything else, will it be in the keynote?
Microsoft, under intense pressure to better protect its systems and customers from cyberattacks, will answer that question by giving its top security execs a prime spot on stage Tuesday morning at its annual Ignite conference for IT pros in Chicago.
One of their announcements: a new $4 million bug bounty program, representing an additional pool of money to be shared among security researchers who identify holes in Microsoft’s cloud and AI systems.
It’s part of a new initiative and planned 2025 hacking event in Redmond that Microsoft is calling the Zero Day Quest. Microsoft says the initiative begins today with a pledge to double the bounties for finding AI security flaws.
The money is on top of the existing $16 million that Microsoft pays out annually through its bug bounty program.
“Upping the game here, I think, will create a lot of incentive,” said Charlie Bell, the executive vice president in charge of Microsoft Security, in an interview in advance of Ignite conference. Bell will appear on stage with Vasu Jakkal, Microsoft Security corporate vice president, during Microsoft CEO Satya Nadella’s opening keynote.
Origins of the plan: Microsoft’s senior leadership team holds weekly meetings with Nadella to review and address security as part of its Secure Future Initiative.
When these SFI meetings began, Nadella instructed the group to “embrace the red,” Bell said. In other words, the Microsoft CEO wasn’t looking for glowing reports from senior execs. He wanted them to bring their problems.
“And it was liberating, actually, for everybody in the room,” Bell said.
He said Nadella gave the directive to boost the bug bounty in one of these meetings.
Microsoft describes its existing bug bounty program as the largest in the industry, and says in a blog post that the additional $4 million “will represent the highest potential rewards of any hacking event in the industry.”
But if security is so important, why not put up even more money? With billions in the bank — $78.5 billion, at last count — Microsoft has the resources to go even further to turn the economics of security research in its favor.
Bell responded to the question: “I mean, you could pay a trillion dollars. Would you get more? I don’t know. … You’ve got to just incent people to do the right thing, and that’s what we’re trying to do here.”
Microsoft is also offering up its “AI Red Team” — internal experts who operate like hackers to find vulnerabilities — to train outside security researchers to find AI-related bugs, knowledge they can then use to participate in the program.
Grappling with cyberattacks and vulnerabilities: A former Amazon Web Services executive, Bell joined Microsoft three years ago to lead its security initiatives.
Microsoft launched its Secure Future Initiative in November 2023, after a high profile incident earlier that year, in which the Chinese hacking group known as Storm-0558 compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
The company revealed in January of this year that a Russian state-sponsored actor known as Nobelium, or Midnight Blizzard, accessed its internal systems and executive email accounts. Subsequently, the company said the same attackers were able to access some of its source code repositories and internal systems.
A report by the Cyber Safety Review Board (CSRB) in March, focusing on Storm-0558, described Microsoft’s security culture as “inadequate,” citing a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”
The CSRB report called on Microsoft to make security its top priority. The next month, Nadella declared that it was.
Microsoft expanded its Secure Future Initiative in May to base a portion of executive compensation on security; install deputy chief information security officers in each product group; and bring together teams from its major platforms and product teams in “engineering waves” to overhaul security.
In addition to eliminating hundreds of thousands of outdated apps and millions of cloud tenants, the company is focusing on making security practices easier and more standardized. Bell described these as “paved paths” to simplify security tasks and make them automatic, rather than employees inventing their own processes.
Microsoft the equivalent of 34,000 full-time engineers are working on the Secure Future Initiative, calling it “the largest cybersecurity engineering project in history.”
Tension between security and business: The company continues to face criticism over profiting from security products even as vulnerabilities in its own programs contribute to cybersecurity problems.
The latest: a Nov. 15 ProPublica report described Microsoft’s offer of cybersecurity help to the U.S. government in 2021 as “a calculated business maneuver designed to bring in billions of dollars in new revenue, box competitors out of lucrative government contracts and tighten the company’s grip on federal business.”
Responding to the piece, a Microsoft spokesperson said in a statement that the company’s “only motivation is to compete for and provide best-in-class cybersecurity tools that help address the ever-evolving and growing cyber threat posed by nation-state actors.” The statement continued:
Microsoft’s sole goal during this period was to support an urgent request by the Administration to enhance the security posture of federal agencies who were continuously being targeted by sophisticated nation-state threat actors. At the time, the White House engaged a broad range of tech sector leaders, including Google, Amazon, Apple, IBM as well as Microsoft, to provide commitments to help improve cybersecurity for the country at that critical time and each of them were part of the White House announcement. At the behest of the Administration, Microsoft provided enhanced security tools, at no cost, to agencies as soon as possible to level up their security baseline. There was no guarantee that agencies would purchase these licenses; and agencies were free to engage with other vendors to support their security needs.
Nadella previously made a habit of informing investors about the company’s revenue from security products, which surpassed $20 billion last year. Since then, the company has stopped disclosing this number, focusing instead on its Secure Future Initiative and efforts to overhaul its culture and development practices.
Security product news: Announcements at Ignite include a new data loss prevention capability for Microsoft 365 Copilot corporate AI product as part of Microsoft Purview, the company’s data protection product. Microsoft 365 Copilot has been criticized for allowing unauthorized data access if companies haven’t correctly set up their permissions.
Another product announcement is the general availability of Microsoft Security Exposure Management. This technology uses graph-based technology to help defenders understand potential attack paths from an attacker’s perspective.
Jakkal, the Microsoft Security corporate vice president, explained that this is informed in part by Microsoft’s own experience.
“Attackers think in graphs,” Jakkal said. “They’ll start with a phishing-related attack or identity credentials stealing. But then, once they get in your system, they’re not going to stay in that silo.”
She explained, “They might move into your device, install a malware, wait to get some access to IP, or they might move laterally, get into your identity system, elevate their privileges, get into your network … get into the cloud, get into apps. So they are moving very graphically.”
Bell said Microsoft’s dual role — as not just a developer of technology but also a provider of security products — gives it an important perspective on the security landscape.
“When you’re a provider, you get to see what goes on,” Bell said. “You get to watch every minute. You watch all kinds of stuff happening. You see bad guys doing the various activity. You see examples of good behavior.”
“We put out all kinds of stuff that is built into the products to begin with,” he said, “and then on the security product side, there’s a lot that we can do that requires an awful lot of work — and a lot of cost.”