Forshaw has already benefited from discovering design-level bugs during the Internet Explorer 11 Preview Bug Bounty, for showing critical vulnerabilities that affect the IE11 Preview, which is part of the Windows 8.1 Preview. In all, his total bounty earnings are $109,400.
“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs,” Forshaw said, in a Microsoft blog. “I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offense to defense.”
Microsoft isn’t releasing details of the new mitigation bypass technique until it addresses it, but, “the reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack,” explained Katie Moussouris, senior security strategist at the Microsoft Security Response Center, in a blog. “This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
Coincidentally, a Microsoft engineer, Thomas Garnier, also found a variant of this class of attack technique. “Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.
The program has paid out more than $128,000 to date, Microsoft noted. The software behemoth entered the bounty fray over the summer. In addition to the Mitigation Bypass Bounty, a companion piece dubbed the BlueHat Bonus for Defense will pay $50,000 for defensive ideas that block a qualifying mitigation bypass technique.
“[The program] incentivizes researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count,” Forshaw said. “To find my winning entry, I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful. Receiving the recognition for my entry is exciting to me and my employer Context. It also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.”