The latest change makes it possible for more people, such as forensic experts and responders, to submit new mitigation bypass techniques and defensive ideas.
“We are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild,” wrote Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing.
“In this new expansion of Microsoft’s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea.”
Moussouris explained that Microsoft wants to learn about these new exploitation techniques as early as possible - ideally before they are used - but that they will pay for them even if they are currently being used in targeted attacks.
“Learning about ‘ways around the shield,’ or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of arrows as opposed to a single bug – hence, we are willing to pay $100,000 for these rare techniques,” she explained, adding that this evolution of Microsoft’s bug bounties program is designed to disrupt the vulnerability and exploit markets.
“Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery,” she concluded.
The guidelines for submission and eligibility are available here.