Incident Response, TDR, Vulnerability Management

Microsoft opens $100K bounty for mitigation bypass to more entrants

Microsoft's new bug bounty program is likely turning a lot more heads interested in cashing in on exploits affecting the company's software.

The tech giant recently announced that a subsection of its program, which paid individuals $100,000 for inventing new mitigation bypass techniques, was now “expanding the pool of talent who can participate.”

Before, individuals that invented new mitigation bypass techniques for the company were in the running for the high-dollar reward.

But, according to Katie Moussouris, a senior security strategist at Microsoft's security response center, who blogged about the program's “evolution” last Friday, those who discover and disclose the specific issue being actively exploited will also be included.

Microsoft introduced its bug bounty program in June, finally offering monetary incentives for researchers reporting vulnerabilities.

“We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild,” Moussouris wrote, later explaining the impact of the change.

“Today's news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.”

Those wishing to participate will be required to pre-register by emailing [email protected] before submitting proof-of-concept code and technical analysis of active exploits, Moussouris said.

Entrants offering up a “qualifying defense idea” to thwart attacks would also be eligible for up to $50,000.

With the move, Microsoft aims to shorten the time that exploits and bugs sold on the underground market are usable, “especially for targeted attacks that rely on stealthy exploitation without discovery,” she added.

So far, one researcher has been awarded with the $100,000 prize for reporting a critical mitigation bypass flaw in Windows 8.1. Last month, James Forshaw, a security vulnerability researcher with U.K.-based Context Information Security, nabbed the coveted bounty.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.