Microsoft Puts a Bigger Bounty on Bugs

The company promises bigger payouts for security researchers who find authentication exploits and submit ideas to strengthen Windows' defenses.

bug bounty

Microsoft is increasing the rewards for security pros who help harden its Windows operating system technologies.

"We are raising the Bounty for Defense [program's] maximum from $50,000 USD to $100,000 USD," bringing its payout in line with the discovery of a major exploit, said Microsoft Security Architect Jason Shirk in an Aug. 6 announcement amidst this week's Black Hat security conference festivities in Las Vegas.

"Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses either the latest platform mitigations or a defensive submission that blocks exploits that is not in the latest platform," explains the company's FAQ on the program.

Shirk further noted that the change in policy compensates "the novel defender equally for their research." And for a short while, researchers who crack Microsoft's safeguards related to user credentials have a shot at bigger payouts as well.

"I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty," said Shirk. "All payouts during this period will receive twice the normal payout," meaning that Microsoft will part with "$30,000 USD for a great Authentication vulnerability," he added.

The bonus period ends Oct. 5. Affected services include Microsoft Account and Azure Active Directory. Added to the affected list of services covered by the Online Services Bug Bounty is RemoteApp, Microsoft's cloud app delivery service.

Just as members of the Windows Insider early-access program helped influence how Windows 10 was developed, Microsoft is banking on its bug-hunting initiatives to help secure its offerings.

"These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft," Shirk stated. "Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits."

Software makers are increasingly turning to bug bounty programs in an effort to navigate a rapidly evolving data security landscape, and more importantly, to outwit hackers. IT security professionals, in turn, are finding new ways of supplementing their income.

In compiling its recent State of Bug Bounty Report, Bugcrowd said that in the 30 months between January 2013 and June 2015, the startup's clients paid out $724,014.02 to 566 security researchers. As the company's name suggests, Bugcrowd takes a crowdsourced approach to vulnerability assessments. The average payout currently stands $200. The biggest payment was $10,000, issued sometime during the second quarter of 2014.

On occasion, major software providers cut a big check to their fellow IT bigwigs.

In February, Microsoft awarded Hewlett-Packard's Zero Day Initiative (ZDI) researchers a $125,000 prize for a use-after-free (UAF) vulnerability affecting Internet Explorer. A type of memory corruption, UAF can potentially allow attackers to gain access to affected systems. "Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better," HP ZDI researcher Brian Gorenc told eWEEK's Sean Michael Kerner at the time.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...