This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft to offer £60,000 rewards in new bug bounty programs

Share this article:

Microsoft has rolled out three new bug bounty programs offering valuable rewards.

 

The company has announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission. Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).

 

Microsoft's Matt Miller and David Ross said in a blog post that these programs will allow Microsoft to reward great work by researchers and improve the security of its software, all to the benefit of its customers.

 

Determining what makes a good report, they said that a high quality submission to the mitigation bypass bounty program will describe and demonstrate a truly novel method of exploiting one or more memory corruption vulnerability class when all modern mitigations are in place.

 

“For a submission to be eligible, it must include a detailed whitepaper and a functioning exploit that demonstrates the exploitation technique against a real world remote code execution vulnerability,” Miller and Ross said.

 

“The technique must also meet a high bar: It must be generic and reliable, it must have reasonable requirements, it must apply to a high-risk user mode application domain, and it must be applicable to the latest version of our products.”

 

Chris Wysopal, CTO of Veracode, said: “By offering a big bounty, $100,000, and rewarding research for the most challenging part of exploitation, Microsoft is [incentivising] researchers to focus on improvements that can help the entire Windows platform. There is even an added bonus of $50,000 if a defence is proposed for the mitigation technique.

 

“I am a little surprised that it took Microsoft this long to create a bug bounty program. They seem to be jumping in with a second generation bug bounty program putting the emphasis on exploitation and valuable mitigation techniques. On the open market, these techniques could be used to build many zero-day exploits and possibly command more than the Microsoft bounty so the open market is still the competition. I will be watching eagerly to see how many mitigation bypass bounties get claimed over the next year.”

 

Amol Sarwate, director of vulnerability labs at Qualys, said: “I think this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it's hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.

European Central Bank loses personal records after data breach

European Central Bank loses personal records after data ...

The European Central Bank admitted today that its website was hacked and said that some email addresses and other contact information was stolen.

34 European banks hit by Android app security attacks

34 European banks hit by Android app security ...

Banks need to put their heads together to develop common and more secure methodologies says Sarb Sembhi, STORM Guidance, following operation Emmental.