Microsoft Offers up to $250,000 for Hyper-V Vulnerabilities

Microsoft is offering security researchers up to a quarter of a million dollars for security flaws in Windows Hyper-V virtualization.

Bug bounty 2

It's that time of the year when the IT industry is focuses its attention on cyber-security, albeit a little apprehensively. During the Black Hat security conference, currently taking place in Las Vegas, security researchers share their latest findings, often providing a sobering and even disturbing survey of vulnerability in important software and IT systems.

Microsoft, no stranger to cyber-attacks targeting its operating system software and its cloud services portfolio, is seeking the help of IT security professionals in a renewed push to shore up Windows' defenses with a new bug bounty program.

Bug bounties have become a popular way for software providers to not only find vulnerabilities in their products, but also engage with the cyber-security community at large. For IT professionals with a knack for unearthing dangerous software bugs, it's an opportunity to supplement their income with some cold hard cash.

Finding a critical vulnerability can earn a researcher $1,923 on average, according to the 2017 Hacker-Powered Security report published last month by HackerOne, a bug bounty platform vendor. But that's chump change compared to some of the amounts paid out by some organizations. Technology vendors pay up to $30,000 on the HackerOne platform.

Even that figure pales in comparison to the money Microsoft is willing to pay in its latest Windows bug bounty programs.

"In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017," wrote Microsoft executives in a July 26 blog post. The program covers all features of the Windows Insider Preview in addition to certain areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard and Microsoft Edge, according the the blog post. Microsoft also said it's bumping up the pay-out range for the Hyper-V Bounty Program.

Researchers who uncover remote code execution (RCE) flaws in the Hyper-V hypervisor and host kernel, can earn up to $250,000. A familiar term to IT professionals who pore over Microsoft's support documentation every Patch Tuesday, remote code execution refers to a vulnerability that allows an attacker to remotely access a system, run code on the compromised device and potentially take over the entire system.

Microsoft is also offering monetary rewards for discovering remote code execution bugs in other Hyper-V components, although the dollar amounts aren't as lofty. For example, finding flaws in the Remotefx, Fibre Channel Adapter and Legacy Network Adapter Generation 1 components can earn a researcher between $5,000 and $20,000.

"An eligible submission includes a RCE vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor, escape from a guest virtual machine to the host, or escape from one guest virtual machine to another guest virtual machine," states the terms of the Hyper-V bug bounty.

Meanwhile, the Internet Bug Bounty (IBB) program recently announced it had raised additional funding from Facebook, the Ford Foundation and GitHub. The organizations contributed $300,000 to encourage security researchers to report flaws in open-source software and help improve internet security.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...