Microsoft offers cash rewards for security bug hunters

Microsoft unveils security bounty programmes to improve its products through responsible disclosure of flaws that could be exploited by hackers

Microsoft has announced three security bounty programmes to help improve the resilience of its products through responsible disclosure of flaws that hackers could exploit.

Several big software companies – including Google, Paypal and Facebook – have established bug bounty programmes, but Microsoft has stopped short of offering similar cash rewards before.

But the software maker said the bounty programmes will provide another way for Microsoft to harness the collective intelligence and capabilities of security researchers to help further protect its customers.

Under the Mitigation Bypass Bounty programme, Microsoft will pay up to $100,000 for “truly novel” exploitation techniques against protections built into Windows 8.

“Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would,” the firm said in a blog post.

The BlueHat Bonus for Defense programme offers up to $50,000 for defensive ideas that block a mitigation bypass technique.

Read more about responsible disclosure

Microsoft will pay up to $11,000 under the Internet Explorer 11 Preview Bug Bounty programme for critical vulnerabilities that affect IE11 Preview on Windows 8.1 Preview.

All three programmes kick off on 26 June, but while the first two will be ongoing, the Explorer 11 programme will run only until 26 July.

“We’ve added three new researcher-focused programmes to Microsoft’s robust set of security initiatives,” said Mike Reavey, senior director, Microsoft Security Response Center.

“The bounty programmes will help to fill gaps in the current marketplace and enhance our relationships within the invaluable researcher community, all while making our products more secure for our customers,” he said.

Read more on Application security and coding requirements