Bounty Hunter Awarded $100,000
Written by Sue Gee   
Monday, 14 October 2013

Microsoft has paid out over $128,000 to researchers as part of its Bug Bounty programs, including $100,000 Mitigation Bypass Bounty to James Forshaw for discovering "an entire class of issues".

In June Microsoft announced three new bounty programs in a follow-on to its BlueHat Prize contest in which large cash prizes were awarded for finding  a way to blocking entire classes of attacks on memory vulnerabilities in Windows.

 

bluehat2

 

The main focus was to eradicate the bugs from Windows 8.1 and IE11 before they could reach end users and submissions were invited from individual researchers and those working for organisations.

The Internet Explorer 11 Preview Bug Bounty  which offered up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview, had time frame limited to the first 30 days of the IE 11 beta period, but the other two bounty programs are ongoing:

  1. Mitigation Bypass Bounty - Up to $100,000 for truly novel exploitation techniques against protections built into Windows 8.1. To qualify a bypass submission has to be "a novel and distinct method" unknown to Microsoft and which has not been described in prior works.
  2. BlueHat Bonus for Defense - An additional $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission, by including a technical whitepaper to describe a way to effectively block the exploitation technique.

Microsoft has now announced the awards made so far.  Six individuals have received awards for IE 11 vulnerabilities, typically receiving $1,100 per bug. In addition to $4,400 for 4 IE 11 bugs, James Forshaw,  a researcher with Context Information Security, was also awarded a bonus of $5,000 for "finding cool IE design vulnerabilities" and now has Mitigation Bypass has netted him a further $100,000.

The BlueHat blog notes:

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.

 

Other recipients of IE 11 bounties are also professional security researchers. They include Ivan Fratric, who as overall winner of last year's BlueHat Prize received a $200,000 payout. He now works in Google's Security team and donated his $1,100 bounty to charity.

  

bluehat2

 

More Information

Bounty Hunters: The honor roll

Mitigation Bypass Bounty and BlueHat Bonus for Defense Guidelines 

Related Articles

Microsoft Offers $100,000 For Novel Exploits

BlueHat Prizes Awarded

Google Announces More Cash For Security Bugs

Facebook's White Hat VISA Card

Facebook Refuses Bounty, Internet Raises Over $10K

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


Firefox 1.0 Released 20 Years Ago
10/11/2024

A news item with the headline "Firefox browser takes on Microsoft" from 20 years ago has attracted renewed attention. It was originally published on the BBC News website on November 9th, 2004 rec [ ... ]



Google Opensources Privacy Library
08/11/2024

Google is making a new differential privacy library available as open source. PipelineDP4J is a Java-based library that can be used to analyse data sets while preserving privacy.


More News

Last Updated ( Monday, 14 October 2013 )