Microsoft Puts A Bigger Bounty On Bugs

Microsoft is increasing the rewards for security pros who help harden its Windows operating system technologies.

“We are raising the Bounty for Defense [program’s] maximum from $50,000 USD to $100,000 USD,” bringing its payout in line with the discovery of a major exploit, said Microsoft Security Architect Jason Shirk in an Aug. 6 announcement amidst this week’s Black Hat security conference festivities in Las Vegas.

“Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses either the latest platform mitigations or a defensive submission that blocks exploits that is not in the latest platform,” explains the company’s FAQ on the program.

Shirk further noted that the change in policy compensates “the novel defender equally for their research.” And for a short while, researchers who crack Microsoft’s safeguards related to user credentials have a shot at bigger payouts as well.

Bug bounty growth

“I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty,” said Shirk. “All payouts during this period will receive twice the normal payout,” meaning that Microsoft will part with “$30,000 USD for a great Authentication vulnerability,” he added.

The bonus period ends Oct. 5. Affected services include Microsoft Account and Azure Active Directory. Added to the affected list of services covered by the Online Services Bug Bounty is RemoteApp, Microsoft’s cloud app delivery service.

Just as members of the Windows Insider early-access program helped influence how Windows 10 was developed, Microsoft is banking on its bug-hunting initiatives to help secure its offerings.

“These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft,” Shirk stated. “Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.”

Software makers are increasingly turning to bug bounty programs in an effort to navigate a rapidly evolving data security landscape, and more importantly, to outwit hackers. IT security professionals, in turn, are finding new ways of supplementing their income.

In compiling its recent State of Bug Bounty Report, Bugcrowd said that in the 30 months between January 2013 and June 2015, the startup’s clients paid out $724,014.02 to 566 security researchers. As the company’s name suggests, Bugcrowd takes a crowdsourced approach to vulnerability assessments. The average payout currently stands $200. The biggest payment was $10,000, issued sometime during the second quarter of 2014.

On occasion, major software providers cut a big check to their fellow IT bigwigs.

In February, Microsoft awarded Hewlett-Packard’s Zero Day Initiative (ZDI) researchers a $125,000 prize for a use-after-free (UAF) vulnerability affecting Internet Explorer. A type of memory corruption, UAF can potentially allow attackers to gain access to affected systems. “Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” HP ZDI researcher Brian Gorenc told eWEEK’s Sean Michael Kerner at the time.

Originally published on eWeek.

Pedro Hernandez

Pedro Hernandez covers Microsoft products and services, such as Office, Windows, Windows Phone, Azure and Skype.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago