Microsoft Expands Bounty Programs
Written by Alex Armstrong   
Friday, 24 April 2015

Microsoft has launched a new bounty for Project Spartan, expanded both the Online Services Bug Bounty Program and the Mitigation Bypass bounty.

The Project Spartan Bounty program is a short-term one that runs until June 22nd. It is for vulnerabilities in the Microsoft-branded browsers shipping with the Windows 10 preview and qualified submissions will be paid from $500 to $15,000 at Microsoft’s discretion based on the quality and complexity of the vulnerability. 

This bounty program is open to individuals and to participate you must be at least 14, not a Microsoft employee or in any way related to the program and not resident in a country or region under Unites States sanctions. If you work for a security research organization you can only participate if yo can do so in your own individual capacity.

Four types of vulnerability are included. At the low end of the reward range is Address Space Layout Randomization (“ASLR”) Info Disclosure, that is a vulnerability that leads to reliable information about memory stack allocation performed by ASLR. To qualify for the highest rewards you need to provide a functioning exploit and a high quality report pertaining to remote code execution (RCE) or a sandbox escape vulnerability. 

Microsoft is also extending the Online Services Bug Bounty Program that was launched last September as well as raising its maximum payout to $15,000. Originally this program applied only to Office 365 but now includes a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, and Azure Active Directory.

 bluehat2

 

 

The new addition to the Mitigation Bypass bounty, which in the past has paid out $100,000 USD is for vulnerabilities related to Hyper-V escape, either Guest-to-Host, Guest-to-Guest or Guest-to-Host DoS (non-distributed, from a single guest).

According to Jason Shirk in his announcement on TechNet:  

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud. 

He also reminds developers of the importance of the contributions they can make to improving the security of Microsoft products and services.

Microsoft has a long history of working closely with security researchers.  Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work.  I can say that we truly value these contributions.  Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.  

 

Banner


JetBrains Improves Kubernetes Support In IDE Upgrades
12/11/2024

JetBrains has improved its IDEs with features to suggest the logical structure of code, to streamline the debugging experience for Kubernetes applications, and provide comprehensive cluster-wide Kuber [ ... ]



Windows 11 Adoption Takes A Downturn
11/12/2024

With Windows 10 End of Life only ten months away, Microsoft is stepping up its campaign to get Windows users to upgrade to Windows 11. But while Windows 11 had been gaining users at a steady rate at t [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 24 April 2015 )