Microsoft has announced that it will pay a $100,000 in cash to anyone who discovers security exploits within their most recent Windows 8.1 operating system together with $50,000 as a bonus if you can also offer defensive suggestions that might be able to block the attack.
Recently Microsoft has announced that it will give security researchers cash rewards for devising novel software exploitation techniques, creating new exploit mitigation systems, and finding bugs in the beta of Internet Explorer 11 when it's released...
Bug bounty programs, where security researchers receive a cash reward from software vendors for disclosing exploitable flaws in those vendors' software, have become an important part of the computer security landscape. Finding flaws and working out ways to exploit them can be a difficult and time-consuming process. Moreover, exploitable flaws have a market value, especially to criminals, as they can be used to propagate malware and attack systems.
Bounty programs address both concerns. They provide a means for compensating researchers for their efforts, and they provide a market for flaws that won't lead to compromised machines and harm to third parties. Google, Mozilla, Facebook, PayPal, and AT&T, among others, all offer monetary rewards for bug disclosures.
Until now, Microsoft has shied away from such programs. No longer. The company has announced three separate schemes. One of them is a straightforward bug bounty. When Internet Explorer 11 beta is released on June 26 (as part of the Windows 8.1 beta), Microsoft will pay up to $11,000 (and possibly even more) for any critical vulnerabilities discovered by July 26.
In Detail The following programs will launch on June 26, 2013 i.e., Tomorrow!!!! :
- Mitigation Bypass Bounty: Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would.
TIME FRAME: ONGOING
- Blue Hat Bonus for Defense: Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide.
TIME FRAME: ONGOING (in conjunction with the Mitigation Bypass Bounty).
- Internet Explorer 11 Preview Bug Bounty: Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview). The entry period for this program will be the first 30 days of the Internet Explorer 11 beta period (June 26 to July 26, 2013). Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure. TIME FRAME: 30 DAYS..
This is a program that's broadly comparable to schemes from Google and Mozilla for their browsers. The major difference is the time constraint. Explaining the limited window for submissions, Microsoft says that it wants to ensure that most critical bugs are reported during the beta (when usage of the software and hence the risk due to flaws is low) rather than after release.
During Internet Explorer 10's development, for example, there were low numbers of critical flaws reported during the beta, a large spike shortly after release, and then more low numbers. Microsoft wants to move that spike into the beta period, and the limited payout window could encourage researchers to look at the software sooner rather than later.
The company also argues that existing third-party bounty schemes don't really address products in their per-release state. Tipping Point's Zero Day Initiative, for example, offers a way for researchers to be rewarded for disclosing flaws, but only for products that are widely deployed. Paying for bugs during the beta fills this gap.
Microsoft is doing something a little different from the traditional bug bounty. By focusing on exploit mitigation techniques, the company can learn about both individual problems in specific applications and system-wide issues. Addressing these system-wide issues can shore up the platform by making it harder to exploit flaws in all software on the platform, whether it's written by Microsoft or third parties.
If you want to know more then you can Go to : Microsoft's Security Response Center..