Share

Related Links

Top 5 Stories

News

Microsoft enters bug bounty fray for first time

19 June 2013

As the threat landscape continues to deepen in both volume and complexity, bug bounties are becoming an increasingly popular way for vendors to cost-effectively uncover potentially severe exploitable security issues. Microsoft has joined the cash-payout fray for the first time, announcing three new "Heart of Blue Gold" bounty programs that will pay up to $100,000 to enterprising researchers and hackers.

“In the early 2000s, Microsoft had to go through what I call ‘the five stages of vulnerability response grief,’” said Microsoft blogger “bluehat1” in a blog post. “This is a process that all vendors must invariably go through in order to reach the ‘Acceptance Stage,’ which includes working in a collaborative way with security researchers and good old-fashioned hackers. We may not always have 100% philosophical alignment, but we always want to keep a dialog open with the research community to further the common goal of protecting customers.”

Starting 26 June, the Mitigation Bypass Bounty will pay out the biggest jackpot, $100,000, for “truly novel exploitation techniques” against protections built into the latest version of the Windows 8 operating system (that would be the Windows 8.1 Preview at program launch). As a companion piece, the BlueHat Bonus for Defense will pay $50,000 for defensive ideas that block a qualifying mitigation bypass technique.

A third program, the Internet Explorer 11 Preview Bug Bounty, will pay up to $11,000 for showing critical vulnerabilities that affect the IE11 Preview, which is part of the Windows 8.1 Preview. Unlike the other two, this program is temporary, and will run June 26 through July 26.

“We’ve added three new researcher-focused programs to Microsoft’s robust set of security initiatives with the Mitigation Bypass Bounty, BlueHat Bonus for Defense and the IE11 Preview Bug Bounty,” said Mike Reavey, senior director at the Microsoft Security Response Center, in an emailed statement. “They will…help to fill gaps in the current marketplace and enhance our relationships within this invaluable community, all while making our products more secure for our customers.”

The cash-for-exploits approach has been adopted in a high-profile way by Google, Facebook and others, either through direct programs or hacking competitions like Pwn2Own. Google recently more than doubled its rewards from $3,133.70 to $7,500 for finding XSS flaws in sensitive web properties, and from $1,337 to $5,000 for XSS flaws in Gmail and Google Wallet. XSS issues in “normal” Google properties will now yield $3,133.70, up from $500.

 

This article is featured in:
Application Security  •  Industry News  •  Internet and Network Security  •  IT Forensics

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×