Is Microsoft's new bug bounty programme working? A $100,000 payout says it is

UK researcher is first to hit jackpot

Four months into its high-profile bug bounty programme, Microsoft has handed out its first jackpot $100,000 (£66,000) bounty to researcher James Forshaw of UK-based consultancy Context Information Security for discovering a potentially serious "mitigation bypass technique."

The firm is keeping details of the issue to itself until a fix is implemented but to have generated the maximum payment it would have had to have caused problems across a range of Microsoft's software focussed on the forthcoming Windows 8.1 upgrade.

Launched in June after years holding out against paying bounties, Microsoft's programme has two levels of payment of which at a maximum of $100,000 mitigation bypass is the most highly-rewarded.

A second reward tier allows bounty hunters to submit a 'BlueHat' solution to the mitigation bypass, triggering a further payment of up to $50,000. A nominal third tier for flaws in Internet Explorer 11 Preview edition was time-limited to 30 days and is now closed.

It's an unorthodox reward system in that it doesn't place emphasis on software flaws, although Microsoft can get hold of plenty of these indirectly through vendors running their own programmes. Bypasses are attacks that can beat the defences Microsoft builds into its operating system, hence their extra value.

The company has hinted that it might expand the program's remit in future.

"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," said Microsoft's MSRC senior security strategist, Katie Moussouris.

"This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

In addition to becoming the first researcher to hit the $100,000 bounty, Forshaw separately discovered another $9,400 worth of bugs under the IE11 Preview programme.

"Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count," commented Context Security's Forshaw himself.

The programme was based on lateral thinking rather than simply trying to make a programme fall over, as would be the case with conventional bug hunting.

"To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful."

The company that pioneered bug bounties is TippingPoint (later acquired by HP), which launched its Zero Day Initiative as far back as 2005. At the time it was hugely controversial, seen as rewarding and incentivising hackers to find flaws that might end up being sold to higher blackhat bidders.

The conventional wisdom has now changed dramatically with many large software vendors running some kind of programme, even if Yahoo's was so chaotic it last week had to admit it had been sending out nothing more interesting than t-shirts to its presumably rather insulted informants. It later announced that it would replace this with conventional bounties of between $150 and $15,000.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityContext Information Security

More about HPMicrosoftTippingPointTippingPointYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place