IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
internet of things
#
work from home
Search
Story image
#
Cybersecurity
#
Microsoft
#
NDI
$100K Reward: Microsoft Bounty Hunters
Thu, 1st Aug 2013
FYI, this story is more than a year old
Author image
By Sean Mitchell, Publisher
Follow us

As long as people write code, it's going to be imperfect.

That's the line coming out of Redmond, where a class of security researchers colloquially known as “bug hunters” are plying their trade, costing Microsoft up to US$100,000 for the pleasure.

In a bid to help make safer products, the company has employed several new hackers via several new bounty programs to catch vulnerabilities, discover techniques that can get past a program's defenses and even recommend repairs for problems.

“It's my job to think of new programs to work with the hacker community so we can help protect our customers,” says Katie Moussouris, head of security community and strategy, Microsoft Security Response Center.

Moussouris leads a team developing new bounty programs to attract security researchers and hackers who can find bugs in applications and identify the techniques that sneak by defenses built into Windows.

Microsoft believes this to be valuable information, especially while a product is still in the beta phase, as it can be fixed before the public uses it.

The Internet Explorer 11 Preview Bounty closed on July 26 after being open for 30 days, since the public release of Internet Explorer 11 Preview at the Microsoft Build Developer Conference in San Francisco.

That program focused on reporting bugs and paid out amounts from $500 to $11,000 based on the complexity of the vulnerability and the amount of detail the finders were able to provide to the judging team in charge of evaluating each bug.

Moussouris says they received more than 20 submissions for the IE11-specific program.

Two other programs, the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense, are ongoing, ready to pay out up to $100,000 for a "truly novel exploitation technique that kneecaps protective systems built into the latest publicly available version of the operating system (Windows 8.1 Preview, also released at Build), and up to a $50,000 bonus for effective defenses against those exploitation techniques."

There have been no submissions for these programs yet, but that's not surprising, Moussouris says, since the number of researchers capable of finding those types of issues number fewer than 1,000 worldwide.

The high payouts reflect the high value of mitigation bypasses she says.

"While vulnerabilities are one-shot deals and fixed quickly, attackers can use bypass techniques against multiple vulnerabilities," she says.

"The bounty program wants to yank those powerful techniques out of those attackers' hands."

Related stories
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
Half of online traffic in 2024 generated by bots, report finds
Cisco launches Hypershield for AI-driven security upgrade
Axis unveils hybrid cloud platform for adaptable security solutions
Keeper Security launches user-friendly passphrase generator
Top stories
Axis unveils next-gen Camera Station VMS & cloud solutions
Intel reshuffles Asia Pacific leadership to boost business growth
Coalition integrates cyber risk platform with top cloud services providers
Sapia Labs presents 'revolutionary' AI research at SIOP conference
Armis warns of major cyber-attack risk to 2024 global elections