Microsoft marked yesterday’s tenth anniversary of Patch Tuesday by awarding a security bounty of $100,000 to a researcher at a UK company.
The award was made after James Forshaw, head of vulnerability research at Context Information Security, uncovered a new type of mitigation bypass technique that could be used against the company’s latest version of its Windows operating system.
The whopping payout from Microsoft takes its outlay on bug bounties to over $128,000, after the company paid out $28,000 just last week to a total of six security researchers who discovered exploits in the preview version of Internet Explorer 11.
Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique.
Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.
For obvious reasons Microsoft will not disclose any further details about Forshaw’s mitigation bypass technique until it has taken the necessary steps to address it. The company did, however, say that it is “excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.”
Writing on the BlueHat blog, Katie Moussouris, senior security strategist for Microsoft Security Response Center, said that the reason for paying such a large bounty for a new attack technique was that it allowed the company to develop defences against across its product range:
This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers.
When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.
Commenting on the award, Forshaw said:
Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count. Receiving the recognition for my entry is exciting to me and my employer Context, it also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers.
Whilst I suspect that James, who has a track record of claiming other bounties via HP and the PWN2OWN contests, will be required to hand his award over to his employer, I do hope his achievements are recognised in some way.
If his company are feeling particularly generous it could, perhaps, give him a percentage of the cash.
Otherwise, I guess it could always consider giving him some gift vouchers, though it may want to check how the security community reacted when Yahoo offered a paltry $12.50 to researchers who discovered vulnerabilities under its bug bounty program.
Yahoo has now responded by increasing its potential payouts to the $150 – $15,000 range but that still pales in comparison to this bounty paid out by Microsoft.
Whether that disparity affects the efforts of researchers to point out security vulnerabilities to Yahoo remains to be seen, though I personally would like to think some have motivations besides money.