Microsoft have expanded their mitigation bypass bounty to include not just bypass techniques researched and developed specifically for the program, but also bypass techniques observed in the wild, thereby vastly increasing the number of researchers looking and the chance of finding something novel.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Increasing the chance of finding a novel technique is only the first benefit that Microsoft hope to gain from this expansion, as they point out in the quote below they are also hoping to have an influence on the underground vulnerability markets, increasing the costs to those looking to buy exploits.  This is a nice use of market forces to drive security benefit, artificially increasing the cost to the bad guys, I wonder who has more money... (and no, I'm not going down the rabbit hole of nation state actors)

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.

The use of market forces to drive up the cost of exploits ties in quite nicely with some discussions I've been having recently about raising the entry criteria for attackers, be it at a micro level such as what you might be doing in your organisation or a macro level such as what Microsoft are doing here. Attempting to 'raise the bar' for adversaries, either by technical or financial means is nothing new, this is the point of every security control or bug bounty program.  What is different from other bounty programs with this effort and its predecessor is that Microsoft is incentivising researchers to find new defensive strategies rather than individual vulnerabilities with point solutions, effectively eliminating whole classes of vulnerabilities.

Richard pointed out to me a great little blog post entitled "Does Software Development Have A Culture Of Rewarding Failure".

The post asks why those who bring home projects over budget and over time with a huge flurry of last minute effort seem to be more rewarded than those who get it all done on time and on budget.

Unfortunately it is not only during software development that this type of behaviour occurs, it can permeate many other industries and business environments. But why is this so?

Is it simply everyone loves a hero, the underdog, fighting against incredible odds to achieve the near-impossible?
They certainly are more visible, appearing incredibly dedicated, sacrificing their evenings and weekends as they struggle to complete that big project on time (or at all) as opposed to the other team who 'easily' got it all done on time and within budget.
The author makes the point "...everyone expected the project to go well and when it did, no-one was surprised, everything went according to plan, why would anyone reward or even acknowledge it when things go according to plan?"

It reminds me a little of the old Y2K bug (remember that one?). Lots of people working very hard to ensure nothing went wrong. And when nothing did go wrong (ie: success!) the question was asked by some management: "Geez what did we spend all that time and effort for? Nothing happened!"

Information Security is in a similar boat. Money and resources are allocated to security projects can seem to be wasted when, well, nothing happens! Which of course in many cases was the point of the expenditure; to stop the bad thing from occurring.

I'm reading Nassim Nicholas Taleb's excellent book 'The Black Swan: The Impact of the highly Improbable'* at the moment, which discusses (amongst many things) our cognitive bias towards narratives. We like a story, a bit of colour, and this can affect our rational view of facts. In regards to the current topic, consider the following:

• The Project finished on time.
• The Project finished on time because we all worked 7 days a week, 16 hours a day for the last two weeks to meet the deadline.

Which statement seems more likely? I'd wager that, from the gut, for most people it is the second one.

There can also be a mindset of "if you're not running around in crisis mode at crunch time, then you must have budgeted too much time to start with!". We value effort, and in 'deadline crisis mode' the effort is more visible.
Some of this may also be the result of the vicious circle created by 'rewarding failure' in the past because in people's experience all the projects that arrive with a big bang and flurry of 'crunch time' activity to meet the deadline are the ones most valued (ie: rewarded).
Never mind the hidden costs of the project deadline death-march, which may be represented by cut corners, resulting in quality and security problems to be addressed 'sometime' down the track.

This whole topic brings to mind an old Dilbert comic about an employee getting an award for working overtime and weekends fixing the mistakes he caused in the first place.

I can only agree with Alan Skorkin on this one when he states "I for one would love to see a little bit more appreciation from everyone for projects where things go according to plan and especially for the people on those projects...rather than celebrating the belated delivery of the latest death-march, how about digging into it and trying to figure out why it was 6 months late and why people had to work 80 hour weeks to keep it from complete disaster".

*If you're involved at all in looking at (or trying to second guess!) future events or trends - like many Infomation Security professionals - I highly recommend Mr Taleb's book.