A security researcher from the UK is the first to win $100,000 in one of three bug bounty programmes Microsoft introduced three months ago.
Although several big software companies, including Google, PayPal and Facebook, have established bug bounty programmes, Microsoft has not made similar cash rewards before.
The first maximum bounty under the Mitigation Bypass programme for exploits against protections in Windows 8 was won by James Forshaw, head of vulnerability research at UK-based incident response and investigation firm Context Information Security.
Forshaw had already benefited from discovering design-level bugs during the IE11 Preview Bug Bounty offered during July, taking his total bounty earnings to $109,400.
More on responsible disclosure
- Google sets seven-day deadline for zero-day disclosure
- Suppliers need to prepare for new security vulnerability handling standards
- Dutch government publishes security flaw disclosure guide
- Microsoft seeks true 'responsible' vulnerability disclosure
- Incident non-disclosure amounts to hiding facts from shareholders
- Is a full vulnerability disclosure strategy a responsible approach?
Microsoft is not providing details of Forshaw’s new mitigation bypass technique until it is addressed, but said it would enable software engineers to create new defences for future products.
The software firm said the reason for paying so much more for a new attack technique than individual bugs is that learning about new mitigation bypass techniques helps to develop defences against entire classes of attack.
Strengthening platform-wide mitigations, Microsoft said, makes it harder to exploit bugs in all software running on the Microsoft platform and not just Microsoft applications.
Forshaw said he is keenly interested in the challenge of finding novel exploitation techniques.
“Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programmes from offence to defence,” he said.
Forshaw said the programme provides an incentive for researchers to commit time and effort to security in depth rather than just striving for the total vulnerability count.