Microsoft will pay security researchers for finding and reporting vulnerabilities in the preview version of its Internet Explorer 11 (IE 11) browser, for finding novel techniques to bypass exploit mitigations present in Windows 8.1 or later versions, and for coming up with new ideas to defend against exploits.
The monetary rewards will be paid through three bounty programs the company launched Wednesday.
The payouts will range between $500 and $11,000 for vulnerabilities found in IE 11 Preview, depending on the type of vulnerability and quality of the report, and up to $100,000 for mitigation bypasses in Windows 8.1 and later versions.
There is also a defense bonus of up to $50,000, the BlueHat Bonus for Defense. Participants must submit a technical paper that describes an idea that could be used to block an exploitation technique that bypasses the latest Windows platform mitigations. The reward will depend on the quality and uniqueness of the idea, Microsoft said in the program’s guidelines.
In order to be eligible for the Mitigation Bypass Bounty program, submissions will have to include an exploit for a remote-code-execution (RCE) vulnerability in a user mode application that uses a novel way to bypass Windows platform stack corruption, heap corruption and code execution mitigations.
The rules
These mitigations are discussed in a Microsoft white paper called Mitigating Software Vulnerabilities and include DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) among others.
The new exploitation method must not be one that Microsoft already knows or that has been described in prior works and the submission must also include a white paper explaining the method.
The mitigation bypass and defense bonus programs will run on an ongoing basis starting with Windows 8.1 Preview version, which is expected to be released this month at Microsoft’s Build developers conference.
However, the IE 11 Preview bug bounty program will only run for 30 days, between June 26 and July 26. The goal of this particular program is to find and patch vulnerabilities at the best possible time, during the beta period, said Mike Reavey, the senior director of the Microsoft Security Response Center (MSRC).
Other bonus programs
Google and Mozilla also have bug bounty programs for their respective browsers, Chrome and Firefox, but those programs have been running on an ongoing basis for several years.
The IE 11 program will reward individual vulnerability reports with different payouts that depend on the criticality of the reported issue and quality of the report.
For example, remote code execution vulnerabilities can fall into the Tier 0, Tier 1, or Tier 2 payout categories. A Tier 1 report will receive a maximum payout of $11,000 and needs to be accompanied by a proof-of-concept and a functioning exploit, while a Tier 0 report can be rewarded with over $11,000, at Microsoft’s discretion, but also requires a white paper and possibly a sandbox escape.
Important or high-severity design-level vulnerabilities, security bugs with privacy implications, and sandbox escape vulnerabilities fall into the Tier 2 category and are rewarded with a minimum of $1,100. ASLR information disclosure vulnerabilities fall into the Tier 3 category and are rewarded with a minimum of $500.
Microsoft has paid for defensive techniques before as part of its BlueHat Prize contest and has also contracted researchers to pen-test their products internally. However, this is its first public bug bounty program.
Microsoft has always received vulnerability reports from outside researchers and continues to do so, Reavey said. However, the company also noticed a market shift, where many reports come from researchers through vulnerability brokers that buy vulnerability information through their own programs, he said.
Beta periods are prime
That’s great, because those are high quality reports, but there is a market gap that Microsoft’s newly announced bounty programs will attempt to fill, Reavey said. “We don’t see many brokers that pay for mitigation bypasses because those are top dollar, and we also don’t see brokers paying for vulnerabilities found before a product is released, while still in the beta period.”
The beta testing period is the most optimal time to receive this information because it allows the developer to release a more secure final product and have as many issues as possible addressed before they can impact customers, Reavey said.
As for mitigation bypasses, Microsoft would traditionally receive those after they’re found being used in attacks, or once a year or so as the result of contests run at security conferences, Reavey said. “What we want to do is make sure we can get those year-round, as early as possible, so we can protect customers.”
Updated at 12:10 p.m. PT to correct the date on when the bounty program will end.