New Bounty Programs – One Week In

Two weeks ago, Microsoft made an important evolutionary step in our work with the security community when we announced our first-ever bounty programs for security issues. One week ago, the Windows 8.1 Preview and Internet Explorer 11 Preview became available for download, and the doors officially opened for bounty-eligible submissions to secure [at] Microsoft [dot] com.

What a great week this has been!! We wanted to share how it’s going, provide some important reminders regarding eligibility of entries, and flag some key dates coming up.

  • Submissions: We’ve received a few submissions to date for the IE 11 Preview Bug Bounty and the Mitigation Bypass Bounty. The investigations are underway, and we should be able to hit our target of letting those researchers know if they qualify for a bounty by next week.
  • Important Reminders: We’ve gotten questions about previously submitted vulnerabilities or previously presented techniques, and whether we will pay a bounty for them. The short answer is “no,” but we’ll find a way to recognize the researchers who came to us before we offered cash. πŸ™‚ Remember, all qualifying entries should be new, and not previously reported to Microsoft or to a vulnerability broker. We’re also working to incorporate expanded information on the Mitigation Bypass Bounty into our FAQ. For now, please read the guidelines for the Mitigation Bypass Bounty and BlueHat Bonus for Defense, and the IE 11 Preview Bug Bounty.
  • Key Dates: There are about 3 weeks left to submit to the IE 11 Preview Bug Bounty program (open until July 26, 2013). And just 4 weeks from now, on July 31 and August 1, we will feature some LIVE Mitigation bypass bounty judging at the Microsoft booth at Black Hat Las Vegas, sometime around noon. For those of you who like to make some noise as well as some cash, that’s the place to do it!

One last note on how our programs are working so far:  Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over.  This means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already, just one week in to the new programs! Everyone wins – the researchers, our engineers, and especially our customers.

I’m excited by the positive response and participation in Microsoft’s first bounty programs. Keep the submissions coming, and hope to see some of the lions of the security industry come out for Black Hat to show their skills, live at our booth. You know who you are. πŸ˜‰

Katie Moussouris
Microsoft Security Response Center (that’s a zero)