|Microsoft Expands Bounty Programs|
|Written by Alex Armstrong|
|Friday, 24 April 2015|
Microsoft has launched a new bounty for Project Spartan, expanded both the Online Services Bug Bounty Program and the Mitigation Bypass bounty.
The Project Spartan Bounty program is a short-term one that runs until June 22nd. It is for vulnerabilities in the Microsoft-branded browsers shipping with the Windows 10 preview and qualified submissions will be paid from $500 to $15,000 at Microsoft’s discretion based on the quality and complexity of the vulnerability.
This bounty program is open to individuals and to participate you must be at least 14, not a Microsoft employee or in any way related to the program and not resident in a country or region under Unites States sanctions. If you work for a security research organization you can only participate if yo can do so in your own individual capacity.
Four types of vulnerability are included. At the low end of the reward range is Address Space Layout Randomization (“ASLR”) Info Disclosure, that is a vulnerability that leads to reliable information about memory stack allocation performed by ASLR. To qualify for the highest rewards you need to provide a functioning exploit and a high quality report pertaining to remote code execution (RCE) or a sandbox escape vulnerability.
Microsoft is also extending the Online Services Bug Bounty Program that was launched last September as well as raising its maximum payout to $15,000. Originally this program applied only to Office 365 but now includes a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, and Azure Active Directory.
The new addition to the Mitigation Bypass bounty, which in the past has paid out $100,000 USD is for vulnerabilities related to Hyper-V escape, either Guest-to-Host, Guest-to-Guest or Guest-to-Host DoS (non-distributed, from a single guest).
According to Jason Shirk in his announcement on TechNet:
These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud.
He also reminds developers of the importance of the contributions they can make to improving the security of Microsoft products and services.
Microsoft has a long history of working closely with security researchers. Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work. I can say that we truly value these contributions. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
or email your comment to: email@example.com
|Last Updated ( Friday, 24 April 2015 )|