itb-nz logo
Story image

Microsoft offers $100k bounty to hackers

20 Jun 2013

In a severe change of tact, Microsoft is willing to cough up financial rewards for anybody capable of finding security flaws in Windows 8.1.

Offering a US$100,000 bounty, the Redmond-based company believes it is a small price to pay for information regarding security bugs which can exploit software defences.

But after dismissing previous campaigns from rivals Google and Facebook who sought similar advice from accomplished hackers, Microsoft is now blowing both out of the water when it comes to money.

Google currently offers $20k and while Facebook does not specify the maximum reward for such services, the minimum payment comes in at a mere $500.

“These are super challenging to discover and they require a new technique,” says Mike Reavey, director of Microsoft’s Security Response Center.

“So to get people thinking in this area really does require a top-dollar reward.”

Set for launch on June 26, Microsoft is offering the following rewards:

• Mitigation Bypass Bounty:

Microsoft will pay up to $100,000 for "truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview)."

Learning about new exploitation techniques earlier helps Microsoft "improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would."

• BlueHat Bonus for Defence:

Additionally, Microsoft will pay up to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.

• Internet Explorer 11 Preview Bug Bounty:

Microsoft will also pay up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

The entry period for this program will be the first 30 days of the Internet Explorer 11 beta period (June 26 to July 26, 2013).

"Our new bounty programs add fresh depth and flexibility to our existing community outreach programs," Microsoft says in a statement.

"Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers."

Could you exploit Microsoft's software defences? Is $100k enough for your troubles? Tell us your thoughts below