Microsoft Expands Bounty Programs
Written by Alex Armstrong   
Friday, 24 April 2015

Microsoft has launched a new bounty for Project Spartan, expanded both the Online Services Bug Bounty Program and the Mitigation Bypass bounty.

The Project Spartan Bounty program is a short-term one that runs until June 22nd. It is for vulnerabilities in the Microsoft-branded browsers shipping with the Windows 10 preview and qualified submissions will be paid from $500 to $15,000 at Microsoft’s discretion based on the quality and complexity of the vulnerability. 

This bounty program is open to individuals and to participate you must be at least 14, not a Microsoft employee or in any way related to the program and not resident in a country or region under Unites States sanctions. If you work for a security research organization you can only participate if yo can do so in your own individual capacity.

Four types of vulnerability are included. At the low end of the reward range is Address Space Layout Randomization (“ASLR”) Info Disclosure, that is a vulnerability that leads to reliable information about memory stack allocation performed by ASLR. To qualify for the highest rewards you need to provide a functioning exploit and a high quality report pertaining to remote code execution (RCE) or a sandbox escape vulnerability. 

Microsoft is also extending the Online Services Bug Bounty Program that was launched last September as well as raising its maximum payout to $15,000. Originally this program applied only to Office 365 but now includes a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, and Azure Active Directory.

 bluehat2

 

 

The new addition to the Mitigation Bypass bounty, which in the past has paid out $100,000 USD is for vulnerabilities related to Hyper-V escape, either Guest-to-Host, Guest-to-Guest or Guest-to-Host DoS (non-distributed, from a single guest).

According to Jason Shirk in his announcement on TechNet:  

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud. 

He also reminds developers of the importance of the contributions they can make to improving the security of Microsoft products and services.

Microsoft has a long history of working closely with security researchers.  Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work.  I can say that we truly value these contributions.  Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.  

 

Banner


Python Overtakes Java In TIOBE Index
06/11/2020

This month's TIOBE brings dramatic news. Python has replaced Java as the second most popular language. Although this was bound to happen sometime, we had not imagined it would be this soon.



The State Of Secure Software Development - Three OpenSSF Courses
23/11/2020

The Open Source Security Foundation has recently launched three brand new and free courses on Secure Software Development, which are hosted on edX.


More News

 

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 24 April 2015 )