Microsoft announced today the launch of its bug bounty program in which it will offer $100,000 for exploitation techniques against protections built into the latest version of Windows 8.1 Preview, plus another $50,000 for defensive ideas that accompany a qualifying mitigation bypass submission. And finally $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 preview on the latest version of Windows 8.1 Preview.
But wait, what happed of the $250,000 prize that Microsoft gave away at Bluehat? The company was able to implement one of those ideas into EMET to block ROP exploits. In other words, it was able to make Windows safer.
I think this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it’s hard to find that talent. It also encourages good research to land into the hands of vendors rather than being sold on the black market.
Bug bounty programs are not new and have been implemented previously by Google, Mozilla, PayPal and Facebook to name a few. White market bug bounty programs like HP-Tipping Point’s Zero Day Initiative have been around for a few years now. Nevertheless, Microsoft’s move is welcome and the prize money certainly trumps other programs.