Microsoft has rolled out three new bug bounty programs offering valuable rewards.
The company has announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission. Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).
Microsoft's Matt Miller and David Ross said in a blog post that these programs will allow Microsoft to reward great work by researchers and improve the security of its software, all to the benefit of its customers.
Determining what makes a good report, they said that a high quality submission to the mitigation bypass bounty program will describe and demonstrate a truly novel method of exploiting one or more memory corruption vulnerability class when all modern mitigations are in place.
“For a submission to be eligible, it must include a detailed whitepaper and a functioning exploit that demonstrates the exploitation technique against a real world remote code execution vulnerability,” Miller and Ross said.
“The technique must also meet a high bar: It must be generic and reliable, it must have reasonable requirements, it must apply to a high-risk user mode application domain, and it must be applicable to the latest version of our products.”
Chris Wysopal, CTO of Veracode, said: “By offering a big bounty, $100,000, and rewarding research for the most challenging part of exploitation, Microsoft is [incentivising] researchers to focus on improvements that can help the entire Windows platform. There is even an added bonus of $50,000 if a defence is proposed for the mitigation technique.
“I am a little surprised that it took Microsoft this long to create a bug bounty program. They seem to be jumping in with a second generation bug bounty program putting the emphasis on exploitation and valuable mitigation techniques. On the open market, these techniques could be used to build many zero-day exploits and possibly command more than the Microsoft bounty so the open market is still the competition. I will be watching eagerly to see how many mitigation bypass bounties get claimed over the next year.”
Amol Sarwate, director of vulnerability labs at Qualys, said: “I think this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it's hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market.”