On Wednesday, Microsoft announced that it’s now going to pony up with bounties that can reach $100,000 for vulnerabilities that can crack Windows, starting with the upcoming preview version of Windows 8.1, due to be released later this month.
But that’s not all. Researchers who go beyond reporting novel exploits by sending in a whitepaper to describe “effective, practical, and robust” mitigation for qualifying exploits can get up to an additional $50,000 – or what Microsoft has dubbed the “BlueHat Bonus for Defense”.
Facebook, Google, Mozilla and Twitter have all offered bounties for some time, but those have ranged from a few hundred to several thousand dollars.
In contrast, Microsoft’s bounties are downright lavish.
Plus, they pertain specifically to research on products still in beta.
Their bug bounty program for Internet Explorer 11 Preview, which will pay out $11,000 for unique exploits, runs between June 26 and July 26 2013, so Microsoft is urging researchers to get hopping on preparing those reports.
Microsoft senior security strategist Katie Moussouris said in a blog post that rewarding researchers earlier in the game is better for all:
"[Many organizations] don’t offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing. Learning about these vulnerabilities earlier is always better for us and for our customers."
Maybe it’s late to the bug bounty game, but given the generous rewards and the focus on finding bugs early while products are still in beta, there’s a greatness to Microsoft’s lateness.