Microsoft has long resisted this move, but starting June 26 — the date the Windows 8.1 preview will ship — it will finally launch its own security bounty program. The company will offer bounties up to $100,000 for “truly novel exploitation techniques” that expose security issues in Windows 8.1 Preview. It will also pay up to $11,000 for Internet Explorer 11 vulnerabilities and up to $50,000 for “defensive ideas that accompany a qualifying Mitigation Bypass submission.”
Microsoft says it made this shift to bounty programs “in order to learn about these issues earlier and to increase the win-win between Microsoft’s customers and the security researcher community.”
It’s worth noting that the IE 11 Preview program will only be open for 30 days after the launch of Windows 8.1 Preview. This makes sense, though. The IE 11 bounty, Microsoft says, is mostly meant to “fill a gap in the vulnerability marketplace to the benefit of researchers, Microsoft engineers and our customers.” Most existing bounty programs and white market vulnerability brokers like HP’s Tipping Point Zero Day Initiative and iDEFENSE’s Vulnerability Contributor Program also don’t offer bounties for beta software.
The company acknowledges that it isn’t exactly the first vendor to offer this kind of program, though Katie Moussouris, the senior security strategist lead, Microsoft Trustworthy Computing, argues that the company has long sponsored hacker conferences and awarded cash and prizes through other programs in the past. She also notes that Microsoft will likely announce a number of other ways to work with users and industry partners to discover security issues.
Here is a full description of the three programs:
- Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.
- BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.
- IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.