Microsoft is increasing the rewards for security pros who help harden its Windows operating system technologies.
“We are raising the Bounty for Defense [program’s] maximum from $50,000 USD to $100,000 USD,” bringing its payout in line with the discovery of a major exploit, said Microsoft Security Architect Jason Shirk in an Aug. 6 announcement amidst this week’s Black Hat security conference festivities in Las Vegas.
“Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses either the latest platform mitigations or a defensive submission that blocks exploits that is not in the latest platform,” explains the company’s FAQ on the program.
Shirk further noted that the change in policy compensates “the novel defender equally for their research.” And for a short while, researchers who crack Microsoft’s safeguards related to user credentials have a shot at bigger payouts as well.
The bonus period ends Oct. 5. Affected services include Microsoft Account and Azure Active Directory. Added to the affected list of services covered by the Online Services Bug Bounty is RemoteApp, Microsoft’s cloud app delivery service.
Just as members of the Windows Insider early-access program helped influence how Windows 10 was developed, Microsoft is banking on its bug-hunting initiatives to help secure its offerings.
“These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft,” Shirk stated. “Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.”
Software makers are increasingly turning to bug bounty programs in an effort to navigate a rapidly evolving data security landscape, and more importantly, to outwit hackers. IT security professionals, in turn, are finding new ways of supplementing their income.
In compiling its recent State of Bug Bounty Report, Bugcrowd said that in the 30 months between January 2013 and June 2015, the startup’s clients paid out $724,014.02 to 56
On occasion, major software providers cut a big check to their fellow IT bigwigs.
In February, Microsoft awarded Hewlett-Packard’s Zero Day Initiative (ZDI) researchers a $125,000 prize for a use-after-free (UAF) vulnerability affecting Internet Explorer. A type of memory corruption, UAF can potentially allow attackers to gain access to affected systems. “Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” HP ZDI researcher Brian Gorenc told eWEEK’s Sean Michael Kerner at the time.
Originally published on eWeek.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…