Posted by Adrienne Hall, general manager, Trustworthy Computing
Last week Microsoft announced three new bug bounty programs that encourage the security research community to report vulnerabilities in our latest browser and exploitation techniques across our latest operating system.
The concept of bounty programs is not new. Our approach is simple – we believe in building smart engagements with the security research community to create meaningful impact across the IT ecosystem. Recent news stories highlight the novel approach and explain how the new bounty programs bring more minds to the table.
All our new bounty programs are designed to work together:
• Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview).
• BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission.
• IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical-class vulnerabilities that affect IE11 Preview on Windows 8.1 Preview. This includes security bugs with privacy implications.
The Mitigation Bypass Bounty and Bluehat Bonus for Defense will be ongoing programs and the IE11 Preview Bug Bounty program will run for 30 days (June 26 – July 26, 2013). Last year Microsoft launched the Bluehat contest, which recognized the most valuable and innovative mitigation techniques. This past summer at the Black Hat security conference, we awarded the Bluehat $200,000 grand prize for the most efficient and fully transparent ROP mitigation technique. I see smart minds and a concert of ideas and techniques that continue to help us build great products. We look forward to working with the security community to learn about new and innovative security research techniques this summer.