UK security researcher first to win top Microsoft bounty

A UK security researcher is the first to win $100,000 in one of three new Microsoft bug bounty programmes

A security researcher from the UK is the first to win $100,000 in one of three bug bounty programmes Microsoft introduced three months ago.

The software supplier announced the bounty programmes to help improve the resilience of its products through responsible disclosure of flaws that hackers could exploit.

Although several big software companies, including Google, PayPal and Facebook, have established bug bounty programmes, Microsoft has not made similar cash rewards before.

The first maximum bounty under the Mitigation Bypass programme for exploits against protections in Windows 8 was won by James Forshaw, head of vulnerability research at UK-based incident response and investigation firm Context Information Security.

Forshaw had already benefited from discovering design-level bugs during the IE11 Preview Bug Bounty offered during July, taking his total bounty earnings to $109,400.

Microsoft is not providing details of Forshaw’s new mitigation bypass technique until it is addressed, but said it would enable software engineers to create new defences for future products.

The software firm said the reason for paying so much more for a new attack technique than individual bugs is that learning about new mitigation bypass techniques helps to develop defences against entire classes of attack.

Strengthening platform-wide mitigations, Microsoft said, makes it harder to exploit bugs in all software running on the Microsoft platform and not just Microsoft applications.

Forshaw said he is keenly interested in the challenge of finding novel exploitation techniques.

“Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programmes from offence to defence,” he said.

Forshaw said the programme provides an incentive for researchers to commit time and effort to security in depth rather than just striving for the total vulnerability count.

Read more on Application security and coding requirements