Launched on June 26 and set to last until July 26, the aim of the program was to receive information about vulnerabilities while the new version of the browser is still in the Preview period, so that they could be fixed before the final version is actually released.
According to the honor roll, the researchers who submitted qualifying vulnerabilities were:
- James Forshaw of Context Security, who earned a total of $9,400 for four flaw and one design-level vulnerability
- Jose Antonio Vazquez Gonzalez of Yenteasy - Security Research, who received a total of $5,500 for five IE flaws
- Independent researcher Masato Kinugawa - $2,200 for two flaws
- Google researchers Ivan Fratric and Fermin J. Serna - $1,100 and $500, respectively, for three bugs, and
- Peter Vreugdenhil of Exodus Intelligence received an undisclosed amount (if my calculations are right, around $10,000) for what must have been a serious IE 11 flaw.
"The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer," she pointed out, and added that they consider this particular bug bounty program a great success, as the first 30 days of the IE 10 beta period passed without any vulnerabilities having been reported.
The other two bounty programs launched on June 26 - for "truly novel" exploitation techniques against protections built into the latest version of Windows OS, and for defensive ideas for solving these Mitigation Bypass submission - are still ongoing.
UPDATE: Microsoft has announced that James Forshaw of Context Security has earned himself an additional bounty of $100,000 for finding and responsibly disclosing a Mitigation Bypass vulnerability and creating an exploit for it.
No indication was given about the type of mitigation technique (ASLR, DEP, SEHOP, metadata integrity checks, etc.) it bypasses.