Microsoft has paid out over $128,000 to researchers as part of its Bug Bounty programs, including $100,000 Mitigation Bypass Bounty to James Forshaw for discovering "an entire class of issues".
In June Microsoft announced three new bounty programs in a follow-on to its BlueHat Prize contest in which large cash prizes were awarded for finding a way to blocking entire classes of attacks on memory vulnerabilities in Windows.
The main focus was to eradicate the bugs from Windows 8.1 and IE11 before they could reach end users and submissions were invited from individual researchers and those working for organisations.
The Internet Explorer 11 Preview Bug Bounty which offered up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview, had time frame limited to the first 30 days of the IE 11 beta period, but the other two bounty programs are ongoing:
Mitigation Bypass Bounty - Up to $100,000 for truly novel exploitation techniques against protections built into Windows 8.1. To qualify a bypass submission has to be "a novel and distinct method" unknown to Microsoft and which has not been described in prior works.
BlueHat Bonus for Defense - An additional $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission, by including a technical whitepaper to describe a way to effectively block the exploitation technique.
Microsoft has now announced the awards made so far. Six individuals have received awards for IE 11 vulnerabilities, typically receiving $1,100 per bug. In addition to $4,400 for 4 IE 11 bugs, James Forshaw, a researcher with Context Information Security, was also awarded a bonus of $5,000 for "finding cool IE design vulnerabilities" and now has Mitigation Bypass has netted him a further $100,000.
The BlueHat blog notes:
Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.
While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.
Other recipients of IE 11 bounties are also professional security researchers. They include Ivan Fratric, who as overall winner of last year's BlueHat Prize received a $200,000 payout. He now works in Google's Security team and donated his $1,100 bounty to charity.