Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Expands $100K Windows Bug Bounty Program

Microsoft has expanded its security bounty program in the hopes of keeping sophisticated Windows exploits off the black market.

Microsoft has expanded its security bounty program in the hopes of keeping sophisticated Windows exploits off the black market.

Microsoft will now accept Windows bypass techniques that are have been seen in active use in the wild for its $100,000 bounty program. Before this, researchers were only allowed to submit proof-of-concept exploits that they had discovered as opposed to exploits they found.

“This makes it a…program that encourages incident responders, or anyone else who comes across something in the wild, to be the first to grab it and claim the prize,” blogged Wendy Nather, research director for 451 Research’s enterprise strategy group. “The original creator of a bypass not only has to make sure it evades detection by security technology; he has to protect it from his own confederates, or anyone else who knows about it and thinks $100,000 is pretty nifty.”

Related Podcast: The Story Behind Microsoft’s Bug Bounty Program

The latest announcement is an outgrowth of a rewards program for Windows security that Microsoft established in June. The Windows bounty was one of three programs the company created this summer to promote security; also established was a program to report vulnerabilities affecting the Internet Explorer 11 Preview as well as a reward for up to $50,000 for defensive ideas accompanying a qualifying mitigation bypass submission. The IE program is now closed, though the others remain open.

Advertisement. Scroll to continue reading.

 “Individual bugs are like arrows,” said Katie Moussouris, senior security strategist lead for Microsoft Trustworthy Computing, in a statement. “The stronger the shield, the less likely any individual bug or arrow can get through. Learning about ‘ways around the shield,’ or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of arrows as opposed to a single bug – hence, we are willing to pay $100,000 for these rare techniques.”

To participate in the expanded bounty program, organizations need to pre-register with Microsoft before turning in a submission. Once a person is registered and signs an agreement, Microsoft will accept any technical write-up and proof-of-concept code for consideration, Mourssouris noted.

“This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets,” she explained in a blog post. “Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.”

Related Podcast: The Story Behind Microsoft’s Bug Bounty Program

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.