This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft to offer £60,000 rewards in new bug bounty programs

Share this article:

Microsoft has rolled out three new bug bounty programs offering valuable rewards.


The company has announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission. Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).


Microsoft's Matt Miller and David Ross said in a blog post that these programs will allow Microsoft to reward great work by researchers and improve the security of its software, all to the benefit of its customers.


Determining what makes a good report, they said that a high quality submission to the mitigation bypass bounty program will describe and demonstrate a truly novel method of exploiting one or more memory corruption vulnerability class when all modern mitigations are in place.


“For a submission to be eligible, it must include a detailed whitepaper and a functioning exploit that demonstrates the exploitation technique against a real world remote code execution vulnerability,” Miller and Ross said.


“The technique must also meet a high bar: It must be generic and reliable, it must have reasonable requirements, it must apply to a high-risk user mode application domain, and it must be applicable to the latest version of our products.”


Chris Wysopal, CTO of Veracode, said: “By offering a big bounty, $100,000, and rewarding research for the most challenging part of exploitation, Microsoft is [incentivising] researchers to focus on improvements that can help the entire Windows platform. There is even an added bonus of $50,000 if a defence is proposed for the mitigation technique.


“I am a little surprised that it took Microsoft this long to create a bug bounty program. They seem to be jumping in with a second generation bug bounty program putting the emphasis on exploitation and valuable mitigation techniques. On the open market, these techniques could be used to build many zero-day exploits and possibly command more than the Microsoft bounty so the open market is still the competition. I will be watching eagerly to see how many mitigation bypass bounties get claimed over the next year.”


Amol Sarwate, director of vulnerability labs at Qualys, said: “I think this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it's hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...