Microsoft claims 'a few' bug reports in bounty program
Microsoft today said it had received "a few submissions" so far for its Internet Explorer 11 (IE11) bug bounty program, the first for the company.
"We've received a few submissions to date for the IE11 Preview Bug Bounty and the Mitigation Bypass Bounty ... [and] the investigations are underway," said Katie Moussouris, a senior security strategist lead, on a company blog.
The IE11 bounty was announced June 19 and kicked off June 26, with a limited-time run until July 26. During the month-long program, Microsoft will pay researchers up to $11,000 for each IE11 vulnerability they find and report.
A beta of IE11 was released June 26 as part of a public preview of Windows 8.1, the upgrade for Windows 8 and Windows RT, that does not yet have a definitive launch date. Microsoft has said it will ship Windows 8.1 this fall.
The other program Moussouris mentioned, the Mitigation Bypass Bounty, while not a true bug bounty, will award up to $100,000 for any novel exploitation technique able to circumvent Windows 8.1's layered defenses.
Moussouris also claimed victory, even after the IE11 bounty had run just one week.
"Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over," she wrote. "This means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already."
In an interview two weeks ago, Moussouris said that Microsoft's first-ever bug bounty was designed to motivate researchers to report vulnerabilities during the browser's beta, a period when third-party bug bounty brokers have declined to purchase flaws.
Those brokers, including HP TippingPoint's Zero Day Initiative and VeriSign's iDefense, have historically not paid for bugs in beta code because they have no way of knowing whether the flaws will be fixed before a product is shipped to customers.
Rewards for new IE11 vulnerabilities range from $500 to more than $11,000, depending on the type of bug and the amount of background material, including a working exploit, that the researcher provides.
Microsoft has published guidelines for the IE11 Preview Bug Bounty program on its website.