Microsoft pays out its first $100,000 bug bounty

Filed Under: Featured, Microsoft, Vulnerability, Windows

Microsoft marked yesterday's tenth anniversary of Patch Tuesday by awarding a security bounty of $100,000 to a researcher at a UK company.

The award was made after James Forshaw, head of vulnerability research at Context Information Security, uncovered a new type of mitigation bypass technique that could be used against the company's latest version of its Windows operating system.

The whopping payout from Microsoft takes its outlay on bug bounties to over $128,000, after the company paid out $28,000 just last week to a total of six security researchers who discovered exploits in the preview version of Internet Explorer 11.

One of those six researchers was Forshaw who received $9,400 for his efforts. The much more impressive bounty announced today almost didn't come his way, though:

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique.

Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

For obvious reasons Microsoft will not disclose any further details about Forshaw's mitigation bypass technique until it has taken the necessary steps to address it. The company did, however, say that it is "excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants."

Writing on the BlueHat blog, Katie Moussouris, senior security strategist for Microsoft Security Response Center, said that the reason for paying such a large bounty for a new attack technique was that it allowed the company to develop defences against across its product range:

This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers.

When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

Commenting on the award, Forshaw said:

Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count. Receiving the recognition for my entry is exciting to me and my employer Context, it also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers.

Whilst I suspect that James, who has a track record of claiming other bounties via HP and the PWN2OWN contests, will be required to hand his award over to his employer, I do hope his achievements are recognised in some way.

If his company are feeling particularly generous it could, perhaps, give him a percentage of the cash.

Yahoo bounty. Image courtesy of ShutterstockOtherwise, I guess it could always consider giving him some gift vouchers, though it may want to check how the security community reacted when Yahoo offered a paltry $12.50 to researchers who discovered vulnerabilities under its bug bounty program.

Yahoo has now responded by increasing its potential payouts to the $150 - $15,000 range but that still pales in comparison to this bounty paid out by Microsoft.

Whether that disparity affects the efforts of researchers to point out security vulnerabilities to Yahoo remains to be seen, though I personally would like to think some have motivations besides money.

Image of briefcase with cash, ten dollar bill, one dollar bill, and quarters courtesy of Shutterstock.

You might like

3 Responses to Microsoft pays out its first $100,000 bug bounty

  1. Machin Shin · 733 days ago

    "Whether that disparity affects the efforts of researchers to point out security vulnerabilities to Yahoo remains to be seen, though I personally would like to think some have motivations besides money."

    Well, Yes, I'm sure there are plenty of people who have other motivations besides the money. Things like the fame and the challenge of it. Of course, if your doing this kind of thing just because you enjoy a good challenge, the possibility of also getting $100,000 sure does make it a lot sweeter. Also, if I was doing this kind of thing for the fun of it and had to pick a target for my next challenge... $12.50 or $100,000... kind of obvious what one I would choose. Both would be fun and provide a challenge, but one gives so much more.

  2. Vinny Sheridan · 733 days ago

    Dear All.
    I would just like to know whether or not anyone else has any problems with their Computers after this last Patch Tuesday.
    I can no longer access Windows Update, Microsoft have been less than helpful, also there are other people on various forums who have had similar problems.
    I have done a full Scan of my computer and have no Virus.. ( On Windows XP )
    Any Guidance would be Fabulous!!!
    Vinny Sheridan, Manchester UK.

    • Tom · 733 days ago

      Restore to prior the updates then just install one at a time then checking until you can no longer access WU.

      Also check that Windows Module Installer is set to Manual in services.msc

      As the Updates included a number for .NET Framework, it could have disrupted the existing install.

      To help with that, Google for .NET Framework Repair Tool and use the Microsoft download link - this site doesn't seem to allow an active link to be pasted.

      It could also be your AV program - don't know what you're using but if it isn't MSE then temporarily uninstall what you have and install MSE for elimination purposes if the previous suggestions don't resolve.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.