In June, Microsoft announced that it would start paying third-party security researchers for their work. Specifically, up to $11,000 was available for critical vulnerabilities discovered in the Internet Explorer 11 beta (a scheme that’s now over), and up to $100,000 was available for any technique that bypassed Windows’ built-in exploit mitigation schemes. Four months later, the company has paid its first $100,000 bounty. Researcher James Forshaw from Context Information Security has created an as-yet unpublicized way of exploiting Windows applications that defeats systemic protections such as Address Space Layout Randomization and Data Execution Prevention. Unlike other bug bounty programs like the one Google runs for its products, Microsoft is not paying out for individual bugs in released software.

The company says that there are already plenty of companies willing to pay for such bugs, so there’s no particular need to get in on that action. Rather, the $100,000 scheme pays out for entire classes of exploits, in principle enabling Microsoft to provide generic solutions that will make lots of bugs harder to use maliciously.     

Leave a Reply