IE11 Goes to Zero — A History of Browser Security and Bug Bounties – ASW #201
IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.
References:
- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
- https://web.archive.org/web/20130719064943/
- http://www.microsoft.com/security/msrc/report/IE11.aspx
- https://web.archive.org/web/20190507215514/
- https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
