- Daily Zen
Most tech companies will hand out a “bug bounty” to the first person who reports a particular security flaw. Microsoft’s Mitigation Bypass Bounty operates in a different way altogether. In order to contend the $100,000 reward, a security researcher must exhibit a brand new exploitation technique that’s competent against the recent version of Windows. Within three months of announcing this program, Microsoft on Tuesday made its first $100,000 award.
Microsoft rewards hacker who is a well-known British hacking expert more than $100,000 for discovering security holes in its software, one of the biggest bounties awarded to date by a tech company.
The company also released the much awaited update to Internet Explorer, which it said fixes a bug that made users of the browser assailable to remote attack.
James Forshaw, who heads vulnerability research at British consulting firm Context Information Security, won Microsoft’s first $US100,000 ($106,000) bounty for identifying a new “exploitation technique” around the built-in protections of Windows 8.1 security issues, which will allow it to build defences against an entire class of attacks, the company said. He is a regular presenter at security conferences and is the author of the network attack tool Canape.
The Microsoft rewards hacker $100,000 not for each bug identified, but for discovering classes of bugs that will allow Microsoft windows security issues to develop defences against varied attacks. Microsoft windows security issues isn’t divulging any information about what Forshaw was able to find, except to say that the discovered path could bypass system-level defences, like Data Execution Prevention, which is mainly used in modern operating systems to stop the execution of code from non-executable memory
So as far as the big pay out offered, “The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defences against entire classes of attack,” says Katie Moussouris, Microsoft’s senior security strategist. “This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
In the last two months, Microsoft windows security issues has so far handed out over $128,000 to security researchers who have found flaws in Windows and Internet Explorer. The Microsoft Rewards Hacker ranging from $500 to $5500. Forshaw was also paid another $9,400 for identifying bugs in the latest version of Internet Explorer.