Microsoft Opens Bug Bounty Program To Incident Responders


Microsoft is expanding the list of security experts who can earn cash payouts for submitting novel ways to bypass the built-in security restrictions in Windows.

Incident responders and forensics experts who pre-register with the software maker and sign a required non-disclosure agreement now qualify to submit novel mitigation bypass techniques that they develop or encounter in the wild. The most novel submissions must include a technical write-up and proof-of-concept code, Microsoft said. Once reviewed, submissions could earn up to $100,000 from the software maker.

"Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows," wrote Katie Moussouris, senior security strategist at Microsoft's Security Response Center, in a blog post about the program extension. "The stronger the shield, the less likely any individual bug or arrow can get through."

 

[Related: 5 Obamacare Website Failures That Could Have Been Avoided]

Moussouris said bypass submissions are more helpful to Microsoft engineers than vulnerability submissions because measures can be put in place to block new bypass techniques. The security restrictions block entire classes of attacks as opposed to a single software vulnerability, she said.

Several security expert consultants associated with managed security services providers told CRN that the changes are welcome and could help Microsoft gain insight into hackers' bypass techniques so they can be addressed at a faster clip. While digital forensics teams responsibly disclose vulnerabilities uncovered in the course of their work, they won't typically have time to immediately submit novel hacking techniques until they are done engaging with a client, they told CRN.

In June, Microsoft unveiled its bug bounty program, abruptly reversing course on earlier statements in opposition to the effectiveness of software bug bounty programs. In addition to mitigation bypass techniques, the company said it would pay out to researchers who found flaws in the newest version of Internet Explorer 11 preview running on Windows 8.1. During the length of the program, the company said it received several vulnerabilities that qualified for a bounty.

The program has issued more than $128,000 to security researchers. Last month, Microsoft issued its first $100,000 reward to James Forshaw, a security researcher at London-based penetration testing and security training firm Context Information Security. Details of the new mitigation bypass technique are being withheld until Microsoft addresses it. Additionally, Forshaw received about $9,000 for an IE 11 flaw that he detected.

NEXT: Hackers Find New Ways To Bypass Mitigations