|Bounty Hunter Awarded $100,000|
|Written by Sue Gee|
|Monday, 14 October 2013|
Microsoft has paid out over $128,000 to researchers as part of its Bug Bounty programs, including $100,000 Mitigation Bypass Bounty to James Forshaw for discovering "an entire class of issues".
In June Microsoft announced three new bounty programs in a follow-on to its BlueHat Prize contest in which large cash prizes were awarded for finding a way to blocking entire classes of attacks on memory vulnerabilities in Windows.
The main focus was to eradicate the bugs from Windows 8.1 and IE11 before they could reach end users and submissions were invited from individual researchers and those working for organisations.
The Internet Explorer 11 Preview Bug Bounty which offered up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview, had time frame limited to the first 30 days of the IE 11 beta period, but the other two bounty programs are ongoing:
Microsoft has now announced the awards made so far. Six individuals have received awards for IE 11 vulnerabilities, typically receiving $1,100 per bug. In addition to $4,400 for 4 IE 11 bugs, James Forshaw, a researcher with Context Information Security, was also awarded a bonus of $5,000 for "finding cool IE design vulnerabilities" and now has Mitigation Bypass has netted him a further $100,000.
The BlueHat blog notes:
Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.
While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.
Other recipients of IE 11 bounties are also professional security researchers. They include Ivan Fratric, who as overall winner of last year's BlueHat Prize received a $200,000 payout. He now works in Google's Security team and donated his $1,100 bounty to charity.
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Monday, 14 October 2013 )|