Microsoft Awards Its First $100,000 Bounty For A New Security Vulnerability

Bluehat Microsoft

Microsoft announced the new security bounty programs few months back and it have now paid out over $128,000 over to various security experts around the world. Yesterday, Microsoft announced their first ever $100,000 bounty for James Forshaw for finding a new class of attack technique on Microsoft’s products.

Read more on it below.

Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.

The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

Source: Microsoft

  • Yuan Taizong

    I just love this programme, it may cost Microsoft a lot of money, but it works great, all bugs and issues will get fixed and Windows will be an awesome and great operating system, Microsoft must keep this programme open so hackers can address all other programmes as well and make some sort of reporting site where users can report bugs in Windows and Internet Explorer for volunteers who don’t want to get paid, maybe in the future the whole image Windows being unsafe, let’s be honest, Windows has had the most experience with hackers and malware and Windows 8 has the best security of all possible operating systems, Windows can only get better, but the sad truth is that almost all virusses are written for Windows but Windows 8 is a great leap in the right direction with sand-boxing and costum permissions, Vista’s safety built-into every app.