Microsoft to pay up to 150k for vulnerabilities
Posted on 19 June 2013.
After years of saying that bug bounties are not the best way to go about getting crucial product vulnerability information in the long run, Microsoft has done an about-face and has announced three separate bug bounties.

Starting with June 26, the company will be rewarding researchers with up to $100,000 for discovering and reporting "truly novel" exploitation techniques against protections built into the latest version of their OS (currently Windows 8.1 Preview), an additional $50,000 for quality defensive ideas for solving these Mitigation Bypass submission, and up to $11,000 (minimum $500) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows:


Submissions for the first two bounties will be accepted for the foreseeable future, but researchers have only a month (until July 26) to come up with flaws in IE 11. The idea is that finding and fixing vulnerabilities in software is best to do before its final and official release.

"While we work closely with white market vulnerability brokers like HPís Tipping Point Zero Day Initiative and iDEFENSEís Vulnerability Contributor Program, many of these organizations donít offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing. Learning about these vulnerabilities earlier is always better for us and for our customers," explained the BlueHat team.

They also pointed out that while annual exploit competitions such as Pwn2own have been a good way to for Microsoft to learn about bypass techniques for Windows-wide mitigations (DEP, ASLR, metadata integrity checks, SEHOP, etc.), they have decided that they didnít want to wait for the next competition. "We want to know about them before they are used to target our customers," they pointed out.

The bounty programs will be updated and adjusted as time goes by.

"It may not have escaped your notice that paying directly for vulnerability and exploit information is not the only way to work with an ecosystem to discover these kinds of issues," they concluded. "Stay tuned for more updates from our team in the coming weeks, especially in the realm of industry collaboration."

It's also interesting to note that Microsoft has set a low age limit for individuals who can send in a submission, allowing researchers as young as 14 to apply for the bounties.

For more details about the what constitutes an eligible submission for each of the categories, go here and here.





Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //