Bounty hunting just got serious – Microsoft has paid out $100,000 to a security researcher in a single “bug bounty” for uncovering a weakness in the preview version of Windows 8.1.
Microsoft announced the bounty in a statement via a statement on its BlueHat Blog, entitled Bountiful Harvest. The payment, to UK researcher James Forshaw, dwarfed payments for individual Internet Explorer bugs, according to Microsoft News.
“Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty,” Microsoft said in a statement.
“Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.”
While Microsoft pays $11,000 for a bug in Internet Explorer, the big money was reserved for “truly novel” attacks against Windows 8.1, according to The Verge.Forshaw’s attack worked around protections in the preview version of Windows 8.1.
The payment comes in stark contrast to Yahoo!, which was the subject of some amusement this month for paying a bounty of $12.50. Yahoo!’s more modest “Bug Bounty” was not even paid in money – it came in the form of vouchers for Yahoo!’s corporate store, where fans can buy purple hats, T-shirts, and a desk toy that yodels “Yahoo!”
Katie Moussouris of Microsoft’s Security Response Center said, “Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer.”
“As the leaves turn colors and the temperatures cool off, I’m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It’s been a great first three months of Microsoft’s bounty programs, and we’re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.”
Many companies, including Google and other internet giants, rely on “bug bounty” programs as a cost-effective way of finding flaws. Most researchers don’t earn the equivalent of a salary – but the thought of a “big” bounty keeps people interested, according to a recent UC Berkeley study.
Author Rob Waugh, We Live Security