Microsoft Puts A Bigger Bounty On Bugs

Microsoft is increasing the rewards for security pros who help harden its Windows operating system technologies.

“We are raising the Bounty for Defense [program’s] maximum from $50,000 USD to $100,000 USD,” bringing its payout in line with the discovery of a major exploit, said Microsoft Security Architect Jason Shirk in an Aug. 6 announcement amidst this week’s Black Hat security conference festivities in Las Vegas.

“Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses either the latest platform mitigations or a defensive submission that blocks exploits that is not in the latest platform,” explains the company’s FAQ on the program.

Shirk further noted that the change in policy compensates “the novel defender equally for their research.” And for a short while, researchers who crack Microsoft’s safeguards related to user credentials have a shot at bigger payouts as well.

Bug bounty growth

“I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty,” said Shirk. “All payouts during this period will receive twice the normal payout,” meaning that Microsoft will part with “$30,000 USD for a great Authentication vulnerability,” he added.

The bonus period ends Oct. 5. Affected services include Microsoft Account and Azure Active Directory. Added to the affected list of services covered by the Online Services Bug Bounty is RemoteApp, Microsoft’s cloud app delivery service.

Just as members of the Windows Insider early-access program helped influence how Windows 10 was developed, Microsoft is banking on its bug-hunting initiatives to help secure its offerings.

“These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft,” Shirk stated. “Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.”

Software makers are increasingly turning to bug bounty programs in an effort to navigate a rapidly evolving data security landscape, and more importantly, to outwit hackers. IT security professionals, in turn, are finding new ways of supplementing their income.

In compiling its recent State of Bug Bounty Report, Bugcrowd said that in the 30 months between January 2013 and June 2015, the startup’s clients paid out $724,014.02 to 566 security researchers. As the company’s name suggests, Bugcrowd takes a crowdsourced approach to vulnerability assessments. The average payout currently stands $200. The biggest payment was $10,000, issued sometime during the second quarter of 2014.

On occasion, major software providers cut a big check to their fellow IT bigwigs.

In February, Microsoft awarded Hewlett-Packard’s Zero Day Initiative (ZDI) researchers a $125,000 prize for a use-after-free (UAF) vulnerability affecting Internet Explorer. A type of memory corruption, UAF can potentially allow attackers to gain access to affected systems. “Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” HP ZDI researcher Brian Gorenc told eWEEK’s Sean Michael Kerner at the time.

Originally published on eWeek.

Pedro Hernandez

Pedro Hernandez covers Microsoft products and services, such as Office, Windows, Windows Phone, Azure and Skype.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago