Microsoft Rewards First $100,000 Bounty for Windows Security Break
Microsoft awards researchers for finding security holes in its products, with users benefiting from fewer security issues in soon-to-be released offerings.Microsoft awarded more than $128,000 in bounties to researchers for finding vulnerabilities in its products, including a whopping $100,000 reward to one researcher for finding a way to get around all of Windows 8's defenses. The bounties, part of a reward-for-bugs program kicked off by Microsoft in June, were announced this week on Microsoft's regularly scheduled Patch Tuesday, when the company releases updates to fix security holes in its products. Security consultant James Forshaw claimed the $100,000 bounty for finding an attack vector that bypassed all of Microsoft's current mitigations, the company said. "Our strategy is working," Katie Moussouris, senior security strategist lead for Microsoft's Trustworthy Computing group, wrote in response to an email query from eWEEK. "We are getting vulnerability and new attack techniques reported to us earlier; we are engaging with more security researchers that we might not otherwise hear from, as well as encouraging continuing engagement with some of the bright minds we’ve worked closely with in the past." Six researchers, including Forshaw have also submitted vulnerabilities for a second program focused on finding flaws in Internet Explorer 11 before the browser is released to the masses. Microsoft has awarded more than $28,000 in that program to date.
In the past, security researchers have often called for Microsoft to offer money to reward those researchers who find bugs and responsibly disclose the vulnerabilities to the company. While other companies—such as Google, Mozilla, Facebook, HP and iDefense—have offered bounties to the finders of security flaws, Microsoft continued to shy away from paying for research.