This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Increase in bug bounty payments predicted to boost patch releases

Share this article:

The quantity of patches released by Microsoft will rise this year and into the future after its decision to increase bug bounty payments.

Speaking to SC Magazine, Mark Raeburn, CEO of Context Information Security, said: “The increase in bug bounties will increase the number of patches as more people will be looking out for flaws and they will be looking to fix them.

“Microsoft is late in the day on this, but it is good. You can pay people to do it or allow anyone to do it and pay them afterwards, provided it is done in a managed environment.

Microsoft announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission.

Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).

Craig Young, security researcher at Tripwire, said: “I think that the changes to the bounty program not only help researchers feel that their efforts are appreciated by Microsoft, but that it could over time actually reduce the number of patches as Microsoft's exploit mitigation techniques improve through increased scrutiny from white hat researchers.”

Paul Henry, security and forensic analyst at Lumension, said: “Since the announcement of the program took most security researchers by surprise, it will likely be a few months before we really see the effects of the program. That said, I do expect to see the number of bulletins Microsoft issues increase over the second half of this year.

“Microsoft has long resisted implementing a bug bounty program, which other vendors have found success with. The start of the program will likely increase the number of bulletins we see over time, but in the long run, will ensure that Microsoft products are more secure. It will also help motivate researchers to improve their disclosure with Microsoft over other sources that purchase vulnerabilities, which includes bad guys.

“This ensures Microsoft will be aware of vulnerabilities more quickly and we won't see as many bugs being exploited in the wild before Microsoft is ready to release a patch.”

Tyler Reguly, technical manager of security research and development at Tripwire, said: “I think that the platforms covered by the bounty program will limit the number of submissions. We may see additional patches, but I don't suspect we'll see vastly increased numbers.

“In the end though, while patches make the lives of those in IT more difficult, they improve security and make everyone safer.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Banking Trojans target energy sector as APTs

Banking Trojans target energy sector as APTs

Banking Trojans are increasingly being used to launch advanced APT attacks, says IBM Trusteer, which has revealed a recent attack on several petrochemical companies in the Middle East using Citadel ...

Britain's small cyber security firms get £4m boost

Britain's small cyber security firms get £4m boost

Business secretary Vince Cable has launched a new £4 million government competition to help the UK's small cyber security businesses find new ways to combat the cyber threat.

GCHQ 'spied on Germany's Deutsche Telekom'; Germans sell spyware

GCHQ 'spied on Germany's Deutsche Telekom'; Germans sell ...

UK and US spies reported to spy on Deutsche Telekom in Snowden documents, while Germany's FinFisher accused of supplying surveillance software to repressive regimes.