Microsoft has announced that it has paid out more than $28,000 (around £17,422) as part of its first ever bug-bounty programme, which saw security researchers finding holes in its Internet Explorer browser.
Bounties for security vulnerabilities are a popular way for companies to outsource security auditing of their products: researchers who pledge to provide information on the flaws they find to the company and not to make them public until they are fixed can receive thousands of pounds in payments. The practice has a flip-side, however: vulnerability-trading companies who offer even more cash for exclusive rights to the exploit, in order to resell it to their customers before the developers have a chance to patch the hole.
Paying for bug information is a practice Microsoft has previously eschewed, despite some of its biggest competitors including Google running bug bounty programmes as part of their standard operating procedures. As a trial back in June, however, Microsoft announced it would be running a one-month bounty programme for the preview release of its Internet Explorer 11 web browser.
The programme closed in July, but Microsoft has only just released the results: more than $28,000 was paid out through the programme to six security researchers for finding and detailing 15 flaws in the software.
Jose Gonzalez of Yenteasy Security Research topped the table with a total of five security vulnerabilities, netting him $5,500 in cash; James Forshaw of Context Security came next with four bugs valued at $4,400 but earned an additional $5,000 in a bonus payment for finding a design vulnerability previously unknown to Microsoft; Masata Kinugawa found two vulnerabilities for a $2,200 payout; Peter Vreugdenhil of Exodus Intelligence found a single bug for an unspecified payout; and two Google employees, Ivan Fratric and Fermin Serna, found a bug each for $1,100 and $500 respectively - and, interestingly, were the only researchers to refuse the money, donating the cash to Save the Children and the Seattle Humane Society charities respectively.
The company is continuing to offer money in exchange for vulnerabilities found in selected applications, promising up to $100,000 for novel exploitation techniques designed to thwart the security features found in Windows 8.1, alongside an additional $50,000 for those who provide suggestions for how the security subsystems could be bolstered to prevent such attacks. Full details available on the company's official website