Microsoft waves more security pros into the pool for $100K bounties

Moves step closer to traditional bug bounties by accepting novel techniques found in active attacks that skirt Windows' defenses

Microsoft on Monday expanded its $100,000 bounty program, and will accept reports of in-the-wild attacks that demonstrate new techniques of bypassing Windows' anti-exploit technologies.

"This will be pretty disruptive," said Chris Wysopal, co-founder and CTO of Veracode, a Burlington, Mass. company that develops application security testing and risk management software, talking about the impact on cyber criminals. "This is a pretty big bounty for someone doing [security] incident response."

The expanded program lets front-line security researchers, which Microsoft described as "responders and forensics experts," submit reports of unique attack techniques that they have found in active exploits.

The maximum payment remains $100,000, the bar that Microsoft established in June when it kicked off what it called the "Mitigation Bypass Bounty."

Previously, Microsoft only accepted novel and reliable exploit techniques that researchers and academics had devised in the abstract, and which had not been used by actual hackers. The program aimed to acquire information about such techniques -- which could circumvent Windows 8.1's built-in defenses, like DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) and SEHOP (Structured Exception Handling Overwrite Protection) -- before attackers used them so Microsoft could pre-empt exploits by beefing up the OS's protection.

Microsoft has awarded only one $100,000 Mitigation Bypass Bounty, which went to James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, last month.

The change, as one security expert said, brings Microsoft closer to traditional bug bounty programs, which pay for each vulnerability. "[This] is very much riding the line of paying for zero-days," said Andrew Storms, director of DevOps at CloudPassage of San Francisco, in an instant message interview yesterday.

Microsoft declined to answer questions about how the changes were different from a per-bug bounty, with a spokesperson instead pointing to a blog post written by Katie Moussouris, a senior security strategist lead at the company, in which Moussouris likened bug bounties to paying to deflect individual arrows while the Microsoft program pays for information about "ways around the shield."

Security professionals disagreed whether Microsoft had crossed the line to a pay-for-bugs model, which the company has repeatedly said it would not do.

"It sure does seem to boil down to a person or organization has gotten their hands on a new attack method and they turn it over to Microsoft for a payout," said Storms. "Although I guess you could say that they are paying for a technique instead of a payload."

While acknowledging that it was "splitting hairs" to deny that the new program was a bug bounty, Wysopal said that "It's only for mitigation bypasses, it's not just for any zero-day bug. They're not paying for a zero-day [vulnerability] in Windows XP, for example."

Moussouris stressed that the bounty program expansion would now draw from a much larger pool of people. "We are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild," she wrote.

The single award thus far points to the difficulty in meeting the original program's criteria, and the expansion signals that Microsoft wanted more grist for its mill.

But it's not opening up the program to just any Tom, Dick or Harriet hacker. Only pre-certified organizations will be allowed to submit reports eligible for the $100,000 awards, and then, as Storms pointed out, only after they sign an agreement that will, as in prior contests, require the reporters to not disclose details of the attack technique.

"I think they did that so that one black hat couldn't get paid for stealing from another black hat," said Wysopal, using the term for criminal coders, when asked why Microsoft wanted to pre-qualify those who submitted reports. "They're trying to make sure that only white hat, legitimate incident responders, get the money."

And he applauded the bounty expansion. "This is very smart. This raises the cost of offense because defenders will be on the lookout for mitigation bypass techniques in the zero-days they find, and [they're] incentivized to get that information to Microsoft, which can then close the hole," said Wysopal.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingMicrosoftsecurityVeracodeMalware and Vulnerabilities

More about Andrew Corporation (Australia)AppleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts