itb-nz logo
Story image

$100K Reward: Microsoft Bounty Hunters

01 Aug 2013

As long as people write code, it’s going to be imperfect.

That's the line coming out of Redmond, where a class of security researchers colloquially known as “bug hunters” are plying their trade, costing Microsoft up to US$100,000 for the pleasure.

In a bid to help make safer products, the company has employed several new hackers via several new bounty programs to catch vulnerabilities, discover techniques that can get past a program’s defenses and even recommend repairs for problems.

“It’s my job to think of new programs to work with the hacker community so we can help protect our customers,” says Katie Moussouris, head of security community and strategy, Microsoft Security Response Center.

Moussouris leads a team developing new bounty programs to attract security researchers and hackers who can find bugs in applications and identify the techniques that sneak by defenses built into Windows.

Microsoft believes this to be valuable information, especially while a product is still in the beta phase, as it can be fixed before the public uses it.

The Internet Explorer 11 Preview Bounty closed on July 26 after being open for 30 days, since the public release of Internet Explorer 11 Preview at the Microsoft Build Developer Conference in San Francisco.

That program focused on reporting bugs and paid out amounts from $500 to $11,000 based on the complexity of the vulnerability and the amount of detail the finders were able to provide to the judging team in charge of evaluating each bug.

Moussouris says they received more than 20 submissions for the IE11-specific program.

Two other programs, the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense, are ongoing, ready to pay out up to $100,000 for a "truly novel exploitation technique that kneecaps protective systems built into the latest publicly available version of the operating system (Windows 8.1 Preview, also released at Build), and up to a $50,000 bonus for effective defenses against those exploitation techniques."

There have been no submissions for these programs yet, but that’s not surprising, Moussouris says, since the number of researchers capable of finding those types of issues number fewer than 1,000 worldwide.

The high payouts reflect the high value of mitigation bypasses she says.

"While vulnerabilities are one-shot deals and fixed quickly, attackers can use bypass techniques against multiple vulnerabilities," she says.

"The bounty program wants to yank those powerful techniques out of those attackers’ hands."