Microsoft Pays First-Ever $100K Bounty for Windows Bug

Microsoft on Tuesday forked out what might be the biggest payment to a bug hunter yet: US$100,000.

The money went to James Forshaw, head of vulnerability research at Context Information Security, for coming up with a new exploitation technique that affects Windows 8.1 Preview.

"James' Mitigation Bypass Bounty submission will help us strengthen platform-wide mitigations that serve as a part of 'the shield' that is built into the latest version of our operating system, Windows 8.1 Preview, and increases costs to attackers by making it difficult to reliably exploit individual vulnerabilities," Katie Moussouris, senior security strategist at the Microsoft Security Response Center, told the E-Commerce Times.

The Mote In Microsoft's Eye

Microsoft did not disclose details of the mitigation bypass technique Forshaw discovered, and won't do so until it is addressed.

However, Moussouris did say that Microsoft engineer Thomas Garnier had found a variant of this class of attach technique.

Forshaw's submission "was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," she said.

New attack techniques such as the one Forshaw discovered let Microsoft develop defenses against entire classes of attack and reduces the threats from individual vulnerabilities, Moussouris emphasized.

A Cheap Price to Pay'

While $100,000 might seem like a lot of money, "if it's something that impacts all their products and is related to security, $100,000 is a cheap price to pay," commented Jim McGregor, principal analyst at Tirias Research.

The bounty may indeed be cheap at the price: "There are so many companies that depend on the security of Microsoft technologies," remarked Tommy Chin, technical support engineer at Core Security.

"Imagine how many millions of dollars could have been at stake if this exploit technique was used in the wild," Chin added.

Bucks for Bugs

Microsoft paid out the $100,000 to Forshaw under its Migration Bypass Bounty program, which is for the identification of truly novel exploitation techniques in Windows 8.1 Preview.

That program was announced in June with two others.

One is the BlueHat Bonus for Defense bounty program, which will pay up to $50,000 for defensive ideas for entries that accompany a qualifying Migration Bypass submission. In other words, researchers must submit a defense with the attack it is supposed to protect against.

The other is the Internet Explorer 11 Preview Bug Bounty, which ran June 26 through July 26 offering rewards ranging from $500 to $11,000.

Microsoft is not alone in offering bounties to researchers for finding bugs in its software; Google, Mozilla, PayPal and Facebook are among the other companies that also do so.

However, Microsoft's actions are in stark contrast to those of Facebook, which was heavily criticized in August for refusing to pay out a bounty of $500 to unemployed Palestinian researcher Khalil Shreateh for notifying it of a flaw he had discovered.

The programmer community ultimately contributed a total of $11,000 to reward Shreateh through a crowdfunding effort, and Facebook eventually apologized for its actions.

'Cool IE Design Vulnerabilities'

Forshaw leads the Microsoft Security Response Center bounty hunters "honor roll," having garnered a total of $109,400 for his efforts.

In addition to the mitigation bypass, he was paid $4,400 for discovering four Internet Explorer 11 Preview bugs and a $5,000 bonus for finding "cool IE design vulnerabilities."

Forshaw, aka "tiraniddo," also discovered a vulnerability in Oracle Java Three that, when handling reflections within the java.beans.Expression class, can be exploited to compromise a user's system.

Motivating Bug Catchers

"This strategy of obtaining unknown exploitation techniques is working very well," Core Security's Chin told the E-Commerce Times. "It's better for Microsoft to pay third-party talent than attempt to fight against it."

There is "phenomenal expertise out there, including among hackers," Tirias' McGregor pointed out. "There is a risk with them -- you have to know what they're doing -- but they should be tapped."

More companies should be leveraging the software community, including open source, McGregor told the E-Commerce Times.

"I've had vendors tell me they don't have the resources to do this," he added, "but if they put out the problem to the open source community, it would get done."