Microsoft handed out its biggest ever bug bounty cheque earlier this week, on the 10th anniversary of Patch Tuesday. The company announced a bug bounty program in June this year, to help it close security holes before they could become a problem. Both IE11 and Windows 8.1 software had bug bounty schemes; the IE11 scheme is now closed but Windows 8.1 bug bounty hunters can soldier on.
Microsoft congratulated the UK's James Forshaw, a security researcher at Context Information Security, on his success in achieving the first ever $100,000 award. The Microsoft Blue Hat Blog revealed that Forshaw also secured some cash ($9,400) from Redmond due to finding IE11 design-level bugs. Security researcher Forshaw’s Windows 8.1 bug bounty submission “was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” said Microsoft.
Of course any details about the vulnerability won’t be disclosed until it is fully addressed by Microsoft’s software engineers; however it is said that Forshaw’s submission revealed a whole mitigation bypass technique. This is the reason behind the hefty bounty payment. “The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defences against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications,” wrote Microsoft’s Katie Moussouris on the BlueHat blog.
The Sophos Naked Security blog contains a quote from the $100k winning Forshaw, who said “Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count. Receiving the recognition for my entry is exciting to me and my employer Context, it also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers”. Naked Security noted that the bounty will very probably go in-whole to Forshaw’s employer but hopes his achievements are recognised, at least with some gift vouchers...
