Microsoft Pays Out First Bug Bounty Reward To Researcher


Less than a month after Microsoft went public with its vulnerability rewards program, the company has confirmed its first payout to a security researcher who discovered a flaw in the latest version of Internet Explorer.

Microsoft confirmed and validated a flaw submission for its Internet Explorer 11 Preview Edition browser, said Katie Moussouris, a senior security strategist at the Microsoft Security Response Center. In a blog post announcing the bounty reward, Moussouris said the program has confirmed other flaws submitted by researchers and will notify them over the next several weeks.

"The security community has responded enthusiastically to our new bounty programs, submitting over a dozen issues for us to investigate in just the first two weeks since the programs opened," Moussouris wrote in Microsoft's BlueHat blog.

[Related: Microsoft Patches Windows Zero-Day Flaw, Serious TrueType Error]

Microsoft notified Ivan Fratric, a security researcher who participated in the company's BlueHat contest, that his submission of a memory corruption vulnerability was the first to be rewarded under the new bug bounty program, congratulating him publicly on Twitter. Fratric did not respond to a request for comment Thursday.

Fratric, a noted security researcher, was the second-place winner in the Microsoft contest at last year's Black Hat security conference. He received $50,000 for the creation of ROPGuard, a system that can detect and prevent Return Oriented Programming attacks at runtime.

Microsoft unveiled its security bounty programs June 19. The rewards program was a significant change in philosophy for Microsoft, which has long dismissed similar programs from other software makers.

Security experts said the flaw rewards program will not likely have an immediate impact on Microsoft's regularly scheduled patch release each month. Marc Maiffret, chief technology officer at San Diego-based security vendor BeyondTrust, said the program is narrower in scope than other rewards programs, focusing on preview releases of its software.

"This does not come close to the standard bug bounty programs that are out there right now," Maiffret told CRN. "This puts the focus on the future software that will be released before it gets in the hands of the public."

Microsoft said its Internet Explorer 11 Preview Bug Bounty is one of three programs that pay out rewards to vulnerability researchers. The Redmond, Wash., company pays up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview running on Windows 8.1 Preview, the latest version of Windows.

The Microsoft program also pays out up to $100,000 in rewards under its Mitigation Bypass Bounty program. The company said it will pay out for techniques that can bypass protections built into Windows 8.1 Preview. The BlueHat Bonus for Defense program pays up to $50,000 for new security defensive ideas accompanying a mitigation bypass submission that can be added to the operating system.

PUBLISHED JULY 12, 2013