Microsoft Expands Bounty Programs
Written by Alex Armstrong   
Friday, 24 April 2015

Microsoft has launched a new bounty for Project Spartan, expanded both the Online Services Bug Bounty Program and the Mitigation Bypass bounty.

The Project Spartan Bounty program is a short-term one that runs until June 22nd. It is for vulnerabilities in the Microsoft-branded browsers shipping with the Windows 10 preview and qualified submissions will be paid from $500 to $15,000 at Microsoft’s discretion based on the quality and complexity of the vulnerability. 

This bounty program is open to individuals and to participate you must be at least 14, not a Microsoft employee or in any way related to the program and not resident in a country or region under Unites States sanctions. If you work for a security research organization you can only participate if yo can do so in your own individual capacity.

Four types of vulnerability are included. At the low end of the reward range is Address Space Layout Randomization (“ASLR”) Info Disclosure, that is a vulnerability that leads to reliable information about memory stack allocation performed by ASLR. To qualify for the highest rewards you need to provide a functioning exploit and a high quality report pertaining to remote code execution (RCE) or a sandbox escape vulnerability. 

Microsoft is also extending the Online Services Bug Bounty Program that was launched last September as well as raising its maximum payout to $15,000. Originally this program applied only to Office 365 but now includes a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, and Azure Active Directory.

 bluehat2

 

 

The new addition to the Mitigation Bypass bounty, which in the past has paid out $100,000 USD is for vulnerabilities related to Hyper-V escape, either Guest-to-Host, Guest-to-Guest or Guest-to-Host DoS (non-distributed, from a single guest).

According to Jason Shirk in his announcement on TechNet:  

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud. 

He also reminds developers of the importance of the contributions they can make to improving the security of Microsoft products and services.

Microsoft has a long history of working closely with security researchers.  Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work.  I can say that we truly value these contributions.  Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.  

 

Banner


Advent Of Code 2024 Now Underway
01/12/2024

December 1st is much anticipated among those who like programming puzzles. It is time to start solving small but tricky puzzles on the Advent of Code website with the goal of amassing 50 stars by Chri [ ... ]



pg_parquet - Postgres To Parquet Interoperability
28/11/2024

pg_parquet is a new extension by Crunchy Data that allows a PostgreSQL instance to work with Parquet files. With pg_duckdb, pg_analytics and pg_mooncake all of which can access Parquet files, is  [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 24 April 2015 )