Microsoft has announced a bounty program with generous payouts for discovering the weaknesses in Windows 8.1 while it it still in preview. It is also offering up to $11,000 per bug for vulnerabilities in IE11.
Unlike Google, Facebook and others, Microsoft hasn't had an ongoing bounty scheme, although last year it awarded a total of $260,000 to three winners in its BlueHat Prize competition.
It seems that Microsoft regarded that competition as a success and now has a three-pronged campaign to eradicate the bugs from Windows 8.1 and IE11 before they reach end users and it is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques.
The following three routes to earning cash for exposing bugs are open to individual researchers or those working for an organization that permits participation who are aged 14 or older (minors need parental consent) and on a worldwide basis, with the usual exceptions:
Mitigation Bypass Bounty - Up to $100,000 for truly novel exploitation techniques against protections built into Windows 8.1. To qualify a bypass submission has to be "a novel and distinct method" unknown to Microsoft and which has not been described in prior works.
BlueHat Bonus for Defense - An additional $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission, by including a technical whitepaper to describe a way to effectively block the exploitation technique
Internet Explorer 11 Preview Bug Bounty - Up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview.
It is not usual to offer a bounty for bugs on beta software but Microsoft argues:
Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would.
All three programs start on June 26th - the date of release of the preview of Windows 8.1. The IE11 Preview Bug Bounty runs for 30 days, i.e. until July 26th while the other two have open-ended time frames.
As programmers we often think that users are overly sensitive about their data. What could it hurt to allow the collection of location data, for example. Here is a short video from the ACLU that might [ ... ]