Microsoft to pay up to 150k for vulnerabilities
Posted on 19 June 2013.
After years of saying that bug bounties are not the best way to go about getting crucial product vulnerability information in the long run, Microsoft has done an about-face and has announced three separate bug bounties.

Starting with June 26, the company will be rewarding researchers with up to $100,000 for discovering and reporting "truly novel" exploitation techniques against protections built into the latest version of their OS (currently Windows 8.1 Preview), an additional $50,000 for quality defensive ideas for solving these Mitigation Bypass submission, and up to $11,000 (minimum $500) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows:

Submissions for the first two bounties will be accepted for the foreseeable future, but researchers have only a month (until July 26) to come up with flaws in IE 11. The idea is that finding and fixing vulnerabilities in software is best to do before its final and official release.

"While we work closely with white market vulnerability brokers like HPís Tipping Point Zero Day Initiative and iDEFENSEís Vulnerability Contributor Program, many of these organizations donít offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing. Learning about these vulnerabilities earlier is always better for us and for our customers," explained the BlueHat team.

They also pointed out that while annual exploit competitions such as Pwn2own have been a good way to for Microsoft to learn about bypass techniques for Windows-wide mitigations (DEP, ASLR, metadata integrity checks, SEHOP, etc.), they have decided that they didnít want to wait for the next competition. "We want to know about them before they are used to target our customers," they pointed out.

The bounty programs will be updated and adjusted as time goes by.

"It may not have escaped your notice that paying directly for vulnerability and exploit information is not the only way to work with an ecosystem to discover these kinds of issues," they concluded. "Stay tuned for more updates from our team in the coming weeks, especially in the realm of industry collaboration."

It's also interesting to note that Microsoft has set a low age limit for individuals who can send in a submission, allowing researchers as young as 14 to apply for the bounties.

For more details about the what constitutes an eligible submission for each of the categories, go here and here.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th