Microsoft Launches Security Bounty Program
June 20, 2013

Microsoft Launches Security Bounty Program, Will Pay Up To $100k For Exploits

redOrbit Staff & Wire Reports - Your Universe Online

Microsoft announced on Wednesday that it will launch a security bounty program that pays as much as $100,000 to anyone that exposes flaws, bugs and security vulnerabilities in its software before and after the products are released.

The program will officially kick off on June 26, the same day that Windows 8.1 Preview begins shipping.

While companies such as Mozilla, Google and Facebook have similar bounty programs already in place, Microsoft has long resisted the approach, which offers direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques. Microsoft says its shift is based on a desire “to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community."

The amount of the bounty Microsoft will pay under the program differs according to the product and type of vulnerability exposed. The company will pay up to $11,000 for Internet Explorer 11 vulnerabilities, up to $50,000 for “defensive ideas that accompany a qualifying Mitigation Bypass submission," and as much as $100,000 for “truly novel exploitation techniques" that uncover security issues in Windows 8.1 Preview.

Microsoft outlined the three elements of the program as follows:

• Mitigation Bypass Bounty — Microsoft will pay up to $100,000 for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.

• BlueHat Bonus for Defense — Microsoft will pay up to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.

• IE11 Preview Bug Bounty — Microsoft will pay up to $11,000 for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.

Katie Moussouris, a Senior Security Strategist at Microsoft Research, suggested the company would likely announce a number of additional ways to work with users and industry partners to uncover security-related issues.

“We´ll be running these new bounty programs, learning and adjusting, much like other vendors who have waded in to the vulnerability marketplace before us. We´ll announce the evolution of these programs as we develop them further and will share some of the highlights as we go," she said.

“Stay tuned for more updates from our team in the coming weeks, especially in the realm of industry collaboration. With the strategic bounty programs announced today and the industry collaboration program enhancements to come, Microsoft will simultaneously encourage those who want to work with us while increasing costs for those whose actions cannot be affected by bounties or other incentive programs."

Specific guidelines on Microsoft's Mitigation Bypass Bounty and BlueHat Bonus for Defense can be found here. Rules for the Internet Explorer 11 Preview Bug Bounty Program can be found here. Microsoft's judges have also provided a description of the preferred structure for submissions, which can be found here.