bit-tech.net

Microsoft announces first bug bounty payouts

Microsoft announces first bug bounty payouts

Microsoft has announced payouts totalling more than $28,000 for its first-ever bug bounty programme, which sought vulnerabilities in Internet Explorer 11.

Microsoft has announced that it has paid out more than $28,000 (around £17,422) as part of its first ever bug-bounty programme, which saw security researchers finding holes in its Internet Explorer browser.

Bounties for security vulnerabilities are a popular way for companies to outsource security auditing of their products: researchers who pledge to provide information on the flaws they find to the company and not to make them public until they are fixed can receive thousands of pounds in payments. The practice has a flip-side, however: vulnerability-trading companies who offer even more cash for exclusive rights to the exploit, in order to resell it to their customers before the developers have a chance to patch the hole.

Paying for bug information is a practice Microsoft has previously eschewed, despite some of its biggest competitors including Google running bug bounty programmes as part of their standard operating procedures. As a trial back in June, however, Microsoft announced it would be running a one-month bounty programme for the preview release of its Internet Explorer 11 web browser.

The programme closed in July, but Microsoft has only just released the results: more than $28,000 was paid out through the programme to six security researchers for finding and detailing 15 flaws in the software.

Jose Gonzalez of Yenteasy Security Research topped the table with a total of five security vulnerabilities, netting him $5,500 in cash; James Forshaw of Context Security came next with four bugs valued at $4,400 but earned an additional $5,000 in a bonus payment for finding a design vulnerability previously unknown to Microsoft; Masata Kinugawa found two vulnerabilities for a $2,200 payout; Peter Vreugdenhil of Exodus Intelligence found a single bug for an unspecified payout; and two Google employees, Ivan Fratric and Fermin Serna, found a bug each for $1,100 and $500 respectively - and, interestingly, were the only researchers to refuse the money, donating the cash to Save the Children and the Seattle Humane Society charities respectively.

The company is continuing to offer money in exchange for vulnerabilities found in selected applications, promising up to $100,000 for novel exploitation techniques designed to thwart the security features found in Windows 8.1, alongside an additional $50,000 for those who provide suggestions for how the security subsystems could be bolstered to prevent such attacks. Full details available on the company's official website.

7 Comments

Discuss in the forums Reply
Corky42 8th October 2013, 10:50 Quote
I bet the payout to the two Google employees didn't go down well, what with Microsoft's Scroogle campaign.

Any idea why Microsoft has previously eschewed bug bounty's ? seems like a good thing to be doing.
dyzophoria 8th October 2013, 10:56 Quote
honestly for every company this should be a standard for them, especially Adobe and Oracle, they should really consider this.
schmidtbag 8th October 2013, 22:49 Quote
Quote:
Originally Posted by dyzophoria
honestly for every company this should be a standard for them, especially Adobe and Oracle, they should really consider this.

lol yeah, right. Not only would Adobe not pay anyone outside of their company but the amount of security flaws and bugs people would find in their software and services would destroy their reputation.

Same with Oracle, at least with Java.
Corky42 9th October 2013, 01:13 Quote
Not to mention Adobe would probably go bust from having to pay out for so many security vulnerabilities. ;)
Gareth Halfacree 9th October 2013, 10:12 Quote
Quick update: Microsoft has announced an even bigger payout of $100,000 to James Forshaw for a vulnerability in Windows 8.1, with full details on the official blog.
Waynio 10th October 2013, 20:01 Quote
Quote:
Originally Posted by Gareth Halfacree
Quick update: Microsoft has announced an even bigger payout of $100,000 to James Forshaw for a vulnerability in Windows 8.1, with full details on the official blog.

Wish I had the skills to do that, seems there is good money in bug hunting. :D
Corky42 12th October 2013, 10:45 Quote
Quote:
Originally Posted by Waynio
Wish I had the skills to do that, seems there is good money in bug hunting. :D

Not so much :| it would seem the tax man and the company you work for takes most of the money.
http://www.theguardian.com/technology/2013/oct/11/microsoft-bug-hunter-100000-bounty-james-forshaw
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums