Microsoft Expands Bounty Programs
Written by Alex Armstrong   
Friday, 24 April 2015

Microsoft has launched a new bounty for Project Spartan, expanded both the Online Services Bug Bounty Program and the Mitigation Bypass bounty.

The Project Spartan Bounty program is a short-term one that runs until June 22nd. It is for vulnerabilities in the Microsoft-branded browsers shipping with the Windows 10 preview and qualified submissions will be paid from $500 to $15,000 at Microsoft’s discretion based on the quality and complexity of the vulnerability. 

This bounty program is open to individuals and to participate you must be at least 14, not a Microsoft employee or in any way related to the program and not resident in a country or region under Unites States sanctions. If you work for a security research organization you can only participate if yo can do so in your own individual capacity.

Four types of vulnerability are included. At the low end of the reward range is Address Space Layout Randomization (“ASLR”) Info Disclosure, that is a vulnerability that leads to reliable information about memory stack allocation performed by ASLR. To qualify for the highest rewards you need to provide a functioning exploit and a high quality report pertaining to remote code execution (RCE) or a sandbox escape vulnerability. 

Microsoft is also extending the Online Services Bug Bounty Program that was launched last September as well as raising its maximum payout to $15,000. Originally this program applied only to Office 365 but now includes a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, and Azure Active Directory.

 bluehat2

 

 

The new addition to the Mitigation Bypass bounty, which in the past has paid out $100,000 USD is for vulnerabilities related to Hyper-V escape, either Guest-to-Host, Guest-to-Guest or Guest-to-Host DoS (non-distributed, from a single guest).

According to Jason Shirk in his announcement on TechNet:  

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud. 

He also reminds developers of the importance of the contributions they can make to improving the security of Microsoft products and services.

Microsoft has a long history of working closely with security researchers.  Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work.  I can say that we truly value these contributions.  Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.  

 

Banner


Google Intensive AI Course - Free On Kaggle
05/11/2024

Google is offering a 5-Day Gen AI Intensive Course designed to equip data scientists with the knowledge and skills to tackle generative AI projects with confidence. It runs on the Kaggle platform from [ ... ]



DuckDB And Hydra Partner To Get DuckDB Into PostgreSQL
11/11/2024

The offspring of that partnership is pg_duckdb, an extension that embeds the DuckDB engine into the PostgreSQL database, allowing it to handle analytical workloads.


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 24 April 2015 )