Microsoft launches security bounty programs for Windows 8.1 and IE 11 Preview

The company aims to fill the gaps in the vulnerability market and strengthen exploit defenses in Windows

Microsoft will pay security researchers for finding and reporting vulnerabilities in the preview version of its Internet Explorer 11 (IE 11) browser, for finding novel techniques to bypass exploit mitigations present in Windows 8.1 or later versions and for coming up with new ideas to defend against exploits.

The monetary rewards will be paid through three bounty programs the company launched Wednesday.

The payouts will range between US$500 and $11,000 for vulnerabilities found in IE 11 Preview, depending on the type of vulnerability and quality of the report, and up to $100,000 for mitigation bypasses in Windows 8.1 and later versions.

There is also a defense bonus of up to $50,000, the BlueHat Bonus for Defense. Participants must submit a technical paper that describes an idea that could be used to block an exploitation technique that bypasses the latest Windows platform mitigations. The reward will depend on the quality and uniqueness of the idea, Microsoft said in the program's guidelines.

In order to be eligible for the Mitigation Bypass Bounty program, submissions will have to include an exploit for a remote code execution (RCE) vulnerability in a user mode application that uses a novel way to bypass Windows platform stack corruption, heap corruption and code execution mitigations.

These mitigations are discussed in a Microsoft white paper called Mitigating Software Vulnerabilities and include DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) among others.

The new exploitation method must not be one that Microsoft already knows or that has been described in prior works and the submission must also include a white paper explaining the method.

The mitigation bypass and defense bonus programs will run on an ongoing basis starting with Windows 8.1 Preview version, which is expected to be released this month at Microsoft's Build developers conference.

However, the IE 11 Preview bug bounty program will end when the final version of IE 11 is released, since the goal of this particular program is to find and patch vulnerabilities at the best possible time, during the beta period, said Mike Reavey, the senior director of the Microsoft Security Response Center (MSRC).

Google and Mozilla also have bug bounty programs for their respective browsers, Chrome and Firefox, but those programs have been running on an ongoing basis for several years.

The IE 11 program will reward individual vulnerability reports with different payouts depending on the criticality of the reported issue and quality of the report.

For example, remote code execution vulnerabilities can fall into the Tier 0, Tier 1 or Tier 2 payout categories. A Tier 1 report will receive a maximum payout of $11,000 and needs to be accompanied by a proof-of-concept and a functioning exploit, while a Tier 0 report can be rewarded with over $11,000, at Microsoft's discretion, but also requires a white paper and possibly a sandbox escape.

Important or high-severity design-level vulnerabilities, security bugs with privacy implications and sandbox escape vulnerabilities fall into the Tier 2 category and are rewarded with a minimum of $1,100. ASLR information disclosure vulnerabilities fall into the Tier 3 category and are rewarded with a minimum of $500.

Microsoft has paid for defensive techniques before as part of its BlueHat Prize contest and has also contracted researchers to pen-test their products internally. However, this is its first public bug bounty program.

Microsoft has always received vulnerability reports from outside researchers and continues to do so, Reavey said. However, the company also noticed a market shift, where many reports come from researchers through vulnerability brokers that buy vulnerability information through their own programs, he said.

That's great, because those are high quality reports, but there is a market gap that Microsoft's newly announced bounty programs will attempt to fill, Reavey said. "We don't see many brokers that pay for mitigation bypasses because those are top dollar and we also don't see brokers paying for vulnerabilities found before a product is released, while still in the beta period."

The beta testing period is the most optimal time to receive this information because it allows the developer to release a more secure final product and have as many issues as possible addressed before they can impact customers, Reavey said.

As for mitigation bypasses, Microsoft would traditionally receive those after they're found being used in attacks, or once a year or so as the result of contests run at security conferences, he said. "What we want to do is make sure we can get those year-round, as early as possible, so we can protect customers."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesonline safetyGoogleMicrosoftsecurityDesktop securityExploits / vulnerabilitiesmozilla

More about GoogleMicrosoftMozillaTier 3

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place