“In the early 2000s, Microsoft had to go through what I call ‘the five stages of vulnerability response grief,’” said Microsoft blogger “bluehat1” in a blog post. “This is a process that all vendors must invariably go through in order to reach the ‘Acceptance Stage,’ which includes working in a collaborative way with security researchers and good old-fashioned hackers. We may not always have 100% philosophical alignment, but we always want to keep a dialog open with the research community to further the common goal of protecting customers.”
Starting 26 June, the Mitigation Bypass Bounty will pay out the biggest jackpot, $100,000, for “truly novel exploitation techniques” against protections built into the latest version of the Windows 8 operating system (that would be the Windows 8.1 Preview at program launch). As a companion piece, the BlueHat Bonus for Defense will pay $50,000 for defensive ideas that block a qualifying mitigation bypass technique.
A third program, the Internet Explorer 11 Preview Bug Bounty, will pay up to $11,000 for showing critical vulnerabilities that affect the IE11 Preview, which is part of the Windows 8.1 Preview. Unlike the other two, this program is temporary, and will run June 26 through July 26.
“We’ve added three new researcher-focused programs to Microsoft’s robust set of security initiatives with the Mitigation Bypass Bounty, BlueHat Bonus for Defense and the IE11 Preview Bug Bounty,” said Mike Reavey, senior director at the Microsoft Security Response Center, in an emailed statement. “They will…help to fill gaps in the current marketplace and enhance our relationships within this invaluable community, all while making our products more secure for our customers.”
The cash-for-exploits approach has been adopted in a high-profile way by Google, Facebook and others, either through direct programs or hacking competitions like Pwn2Own. Google recently more than doubled its rewards from $3,133.70 to $7,500 for finding XSS flaws in sensitive web properties, and from $1,337 to $5,000 for XSS flaws in Gmail and Google Wallet. XSS issues in “normal” Google properties will now yield $3,133.70, up from $500.