Microsoft is offering what it calls a ‘Bounty Program’ to finding exploits and vulnerabilities for Windows 8.1. Google has had a similar program for its Chrome web browser for quite some time now, though not offering as much money. This programs is a win-win for Microsoft and consumers, as exploits do not get out into the wild and Microsoft has a more secure OS and browser.
Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.
In 2002, we pioneered the Trustworthy Computing initiative to emphasize our commitment to doing what we believe best helps improve our customers’ computing experience. In the years since, we introduced the Security Development Lifecycle (SDL) process to build more secure technologies. We also championed Coordinated Vulnerability Disclosure (CVD), formed industry collaboration programs such as MAPP and MSVR, and created the BlueHat Prize to encourage research into defensive technologies. Our new bounty programs add fresh depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.
The following programs will launch on June 26, 2013:
- Mitigation Bypass Bounty. Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would. TIMEFRAME: ONGOING
- BlueHat Bonus for Defense. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide. TIMEFRAME: ONGOING (in conjunction with the Mitigation Bypass Bounty).
- Internet Explorer 11 Preview Bug Bounty. Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview). The entry period for this program will be the first 30 days of the Internet Explorer 11 beta period (June 26 to July 26, 2013). Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure. TIMEFRAME: 30 DAYS
Microsoft will release a public preview of Windows 8.1 next week at the BUILD conference in San Francisco.