Microsoft kicks off its own bug bounty programme
Microsoft has announced a three-pronged bug bounty programme for its upcoming Windows and Internet Explorer versions. The company will start paying security researchers for disclosing security vulnerabilities to it in a responsible manner, similar to Google's bug bounty programme for Chrome and Chrome OS that has been ongoing since 2010. Under Microsoft's new initiative, researchers can report vulnerabilities in the under-development Windows 8.1 and the preview of its Internet Explorer 11 browser. If submissions are accompanied by ideas about how to defend against the attack, the submitting researcher will earn a substantial monetary bonus.
Under the Mitigation Bypass Bounty category, Microsoft will pay researchers up to $100,000 for "truly novel exploitation techniques" against the protections of the latest version of Windows, with up to an additional $50,000 BlueHat Bonus for Defense for ideas how to defend against them. These two categories are open indefinitely. Until 26 July, researchers can also earn up to $11,000 for reporting critical vulnerabilities that affect the Internet Explorer 11 Preview on Windows 8.1 Preview. The company's bug bounty programme will open for submissions on 26 June, the same day that the company plans to release the Windows 8.1 preview to the wider public.
More information about Microsoft's new programme can be found in a post on the company's BlueHat Blog and technical details about what qualifies as a submission are provided on the company's TechNet site. Looking to the future of the programme, Microsoft says: "We’ll announce the evolution of these programs as we develop them further and will share some of the highlights as we go." The company, however, did not say how the programme will progress once Windows 8.1 is officially released, which is expected to be later this year.