Hacker Receives Largest Ever Bounty For Reporting Microsoft Bug
October 9, 2013

Hacker Receives Largest Ever Bounty For Reporting Microsoft Bug

Enid Burns for redOrbit.com – Your Universe Online

One hacker just made $100,000 from Microsoft. It wasn't from breaching Microsoft's security to glean corporate secrets or customer information; this hacker reported a bug. Microsoft will pay the hacker, and fix the security holes in its software. Microsoft reported the award on its Microsoft Security Response Center blog.

The $100,000 payment to hacker James Forshaw is the largest bounty awarded to date, Reuters reports. Forshaw heads vulnerability research at Context Information Security, a London-based security consulting firm. Forshaw identified a new "exploitation technique" in Windows. Microsoft is actually able to use the exploitation technique by developing defenses against a new class of attacks, now that the vulnerability is identified.

In addition to the $100,000, Forshaw earned $9,400 for identifying security bugs in a preview release of Internet Explorer 11. The later award was detailed on Microsoft's BlueHat Blog. Five other hackers also received recognition for identifying and reporting security flaws. Rewards for the BlueHat Bonus for Defense bug bounty were promised to be up to $50,000.

Microsoft set up its bug bounty program back in June to encourage hackers to report bugs. The $100,000 reward was offered for the Mitigation Bypass Bounty during the Windows 8.1 preview. The bug bounty offered by Microsoft included bounties for BlueHat Bonus for Defense and IE11 Preview. The rewards for reporting those two bugs ranged from $50,000 and $11,000 respectively.

Other companies included Google and Facebook. Bug bounty programs offer hackers incentive to report rather than exploit security flaws in software and online platforms.

Forshaw has produced numerous design-level attack techniques, according to Microsoft, ZD Net reports.

While Microsoft has provided some detail of the bugs identified by Forshaw, it will not disclose the nature of the attacks Forshaw reported and collected his $100,000 reward for, ZD Net reporter Larry Seltzer said.

Forshaw did go into some detail of his experience. Forshaw provide a statement, which was posted on ZD Net:

“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs. I'm keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.

“Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offense to defense. It incentivizes researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.

“To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful. Receiving the recognition for my entry is exciting to me and my employer Context. It also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers.”

It is not known whether Forshaw will keep his full reward, or share it with Context and Context employees that might have contributed to the identification of the bugs.