After years of saying that bug bounties are not the best way to go about getting crucial product vulnerability information in the long run, Microsoft has done an about-face and has announced three separate bug bounties.
Starting with June 26, the company will be rewarding researchers with up to $100,000 for discovering and reporting “truly novel” exploitation techniques against protections built into the latest version of their OS (currently Windows 8.1 Preview), an additional $50,000 for quality defensive ideas for solving these Mitigation Bypass submission, and up to $11,000 (minimum $500) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows:
Submissions for the first two bounties will be accepted for the foreseeable future, but researchers have only a month (until July 26) to come up with flaws in IE 11. The idea is that finding and fixing vulnerabilities in software is best to do before its final and official release.
“While we work closely with white market vulnerability brokers like HP’s Tipping Point Zero Day Initiative and iDEFENSE’s Vulnerability Contributor Program, many of these organizations don’t offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing. Learning about these vulnerabilities earlier is always better for us and for our customers,” explained the BlueHat team.
They also pointed out that while annual exploit competitions such as Pwn2own have been a good way to for Microsoft to learn about bypass techniques for Windows-wide mitigations (DEP, ASLR, metadata integrity checks, SEHOP, etc.), they have decided that they didn’t want to wait for the next competition. “We want to know about them before they are used to target our customers,” they pointed out.
The bounty programs will be updated and adjusted as time goes by.
“It may not have escaped your notice that paying directly for vulnerability and exploit information is not the only way to work with an ecosystem to discover these kinds of issues,” they concluded. “Stay tuned for more updates from our team in the coming weeks, especially in the realm of industry collaboration.”
It’s also interesting to note that Microsoft has set a low age limit for individuals who can send in a submission, allowing researchers as young as 14 to apply for the bounties.