Microsoft is expanding its bug bounty programs significantly, evolving the online services bug bounty, launching a new bounty for Project Spartan, and updating the mitigation bypass bounty.
The bounty program in general is evolving to further accommodate the coverall shift in computing to hosted environments, according to Jason Shirk at the Microsoft Security Response Center.
“[The changes] reflect the continued shift and evolution of technology towards the cloud,” Shirk said, in a blog. “The additions to the bounty program will be part of the rigorous security programs at Microsoft.”
For instance, for the online services bounty, the computing giant is adding Azure to the purview. Microsoft’s cloud platform offerings will be fair game now, including Azure virtual machines, Azure cloud services, Azure storage and Azure active directory; as well as Sway.com, which is a web application that lets users express ideas across many devices and platforms.
Microsoft will pay up to $15,000 for critical bugs, and more for more impactful and better documented bugs.
Project Spartan meanwhile is related to the Windows 10 Technical Preview. Microsoft’s is launching later this year, and securing it is a top priority for the browser team. The bounty program (the maximum payout is $15,000) will run through June 22, 2015 to help make that happen.
It includes remote code execution and sandbox escapes, as well as design-level security bugs, and the bounties are tiered by the criticality of the issue reported, as well as the quality of the documentation and how reproducible the issue is.
“The Mitigation Bypass bounty and the Bonus bounty for Defense are both very active, paying up to $100,000 for novel methods to bypass active mitigations (e.g. ASLR and DEP) in our latest released version of operating system (currently Windows 8.1 and Server 2012 R2) and a bonus of up to $50,000 USD for actionable defense techniques to the reported bypass,” Shirk noted.
Microsoft has also expanded the mitigation bypass bounty to cover Hyper-V escape—either guest-to-host, guest-to-guest or guest-to-host DoS (non-distributed, from a single guest).
All of the bounty program additions will be run alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of products and services, and security and compliance accreditations by third-party audits, the vendor said.
“Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work,” Shirk said. “I can say that we truly value these contributions. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time. We will be regularly managing the Microsoft Bounty Programs to help us best protect our many users.”