Microsoft widens pool of submitters to its bug bounty programs
Posted on 05 November 2013.
Microsoft might have been a late starter when it comes to bug bounties, but they are continually making changes aimed at making its bug bounty program as accessible, as rewarding, and as successful it can be.


The latest change makes it possible for more people, such as forensic experts and responders, to submit new mitigation bypass techniques and defensive ideas.

“We are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild,” wrote Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing.

“In this new expansion of Microsoft’s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea.”

Moussouris explained that Microsoft wants to learn about these new exploitation techniques as early as possible - ideally before they are used - but that they will pay for them even if they are currently being used in targeted attacks.

“Learning about ‘ways around the shield,’ or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of arrows as opposed to a single bug – hence, we are willing to pay $100,000 for these rare techniques,” she explained, adding that this evolution of Microsoft’s bug bounties program is designed to disrupt the vulnerability and exploit markets.

“Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery,” she concluded.

The guidelines for submission and eligibility are available here.









Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //