This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Increase in bug bounty payments predicted to boost patch releases

Share this article:

The quantity of patches released by Microsoft will rise this year and into the future after its decision to increase bug bounty payments.

Speaking to SC Magazine, Mark Raeburn, CEO of Context Information Security, said: “The increase in bug bounties will increase the number of patches as more people will be looking out for flaws and they will be looking to fix them.

“Microsoft is late in the day on this, but it is good. You can pay people to do it or allow anyone to do it and pay them afterwards, provided it is done in a managed environment.

Microsoft announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission.

Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).

Craig Young, security researcher at Tripwire, said: “I think that the changes to the bounty program not only help researchers feel that their efforts are appreciated by Microsoft, but that it could over time actually reduce the number of patches as Microsoft's exploit mitigation techniques improve through increased scrutiny from white hat researchers.”

Paul Henry, security and forensic analyst at Lumension, said: “Since the announcement of the program took most security researchers by surprise, it will likely be a few months before we really see the effects of the program. That said, I do expect to see the number of bulletins Microsoft issues increase over the second half of this year.

“Microsoft has long resisted implementing a bug bounty program, which other vendors have found success with. The start of the program will likely increase the number of bulletins we see over time, but in the long run, will ensure that Microsoft products are more secure. It will also help motivate researchers to improve their disclosure with Microsoft over other sources that purchase vulnerabilities, which includes bad guys.

“This ensures Microsoft will be aware of vulnerabilities more quickly and we won't see as many bugs being exploited in the wild before Microsoft is ready to release a patch.”

Tyler Reguly, technical manager of security research and development at Tripwire, said: “I think that the platforms covered by the bounty program will limit the number of submissions. We may see additional patches, but I don't suspect we'll see vastly increased numbers.

“In the end though, while patches make the lives of those in IT more difficult, they improve security and make everyone safer.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Researcher develops BadUSB code to compromise USB sticks - and their computer hosts

Researcher develops BadUSB code to compromise USB sticks ...

Karsten Nohl also reveals how an enhanced security approach can beat his USB architecture compromise.

Cybercrime threat landscape evolving rapidly

Cybercrime threat landscape evolving rapidly

New research claims to show that, whilst spam levels fell to a five-year low last month, the increasing complexity of cyber-criminal attacks shows no sign of easing, with increasing levels ...

Tor Project unearths attack that identifies users

Tor Project unearths attack that identifies users

Users of The Onion Router (TOR) network have been warned of an attack that could deanonymise them if they used the service from February to July this year.