Before first bug bounty payout, Microsoft says new program is working

Microsoft claims its new bug bounty is working after announcing it is investigating the first “few” potential security vulnerabilities in beta software that it could pay up to $100,000 for -- even though it still might be outbid by grey market traders.

Microsoft launched its bug bounty two weeks ago and says the program is already paying dividends despite the absence of single payout for new Microsoft bugs.

With up to $100,000 up for grabs, researchers that previously only reported Microsoft flaws to “white market” vulnerability brokers after the software was out of beta have begun reporting it directly to Microsoft ahead of the final release. The bug reports it has received concern the preview versions of Windows 8.1 and Internet Explorer (IE) 11, currently in scope of the program.

“Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over,” Katie Moussouris, head of security community outreach and strategy at Microsoft, wrote in a blog post on Wednesday.

She concludes that “this means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already.”

A fortnight ago Microsoft announced its new Google-like bug bounty program, promising researchers between $500 and $11,000 for critical remote execution vulnerabilities in Internet Explorer 11 Preview and up to $100,000 for attacks that bypass its built-in exploitation prevention techniques in the latest version of Windows.

Researchers have 30 days from June 26 to find and submit their discoveries to Microsoft, which is now assessing whether they pass the mark for a payout.

“We’ve received a few submissions to date for the IE 11 Preview Bug Bounty and the Mitigation Bypass Bounty. The investigations are underway, and we should be able to hit our target of letting those researchers know if they qualify for a bounty by next week,” Katie Moussouris, Head of security community outreach and strategy at Microsoft.

The company will judge some of the mitigation bypasses at the upcoming Black Hat conference in Las Vegas at the end of July.

With the new bug bounty, Microsoft may have insight into new flaws earlier, but the bounty is still not enough to cap the grey market trade in vulnerabilities, which offer entities other than Microsoft the opportunity to own and exploit flaws in widely available software.

Defending a criticism on Twitter that Microsoft believed it was making the highest bid for new vulnerabilities, Moussouris noted that it was not about “being the highest bid” and emphasised it was a monopsony buyer of beta bugs.

However, later, Moussouris conceded that some researchers may be selling bugs in beta Microsoft software to grey market buyers, but countered that “not many researchers have those contacts” and that its program was for white market sellers.

“We're now reaching more [researchers] than before, and getting vulns earlier. Target acquired: white market sellers,” she remarked.

Microsoft’s bigger prize of up to $100,000 is for “novel” mitigation bypasses affecting Windows 8.1 that is capable of exploiting a user mode application that makes use of all Windows mitigation technologies covering stack corruption, heap corruption and code execution.

Last year it paid a researcher $200,000 for a “Blue Hat” prize for a defence against a return-oriented programming (ROP) attack, which has been used to bypass Data Execution Prevention. ROP attacks like this are therefore not eligible.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place