Microsoft has announced that it is to extend its bug bounty programme, which pays security researchers cash for finding flaws in the company's software, to cover all recent and upcoming releases of its Windows operating system for the first time.
Bug bounty programmes have been in operation for years, giving researchers a financial incentive to share details of discovered vulnerabilities with companies before releasing said details to the public - or, for those wearing black hats, selling them to government security services or criminal enterprises for malicious exploitation. Microsoft, however, eschewed the practice until launching its first bug bounty programme in 2013 covering the at-the-time shiny and new Internet Explorer 11 web browser, eventually paying out around £21,470 at today's exchange rates in bounties.
Following that initial programme, Microsoft has been slowly extending its bounty offerings: In 2014 its Bounty Hunter programme reached £182,860 in payouts with a major chunk going to researcher Yang Yu; in 2015 it added Project Spartan, now known as Microsoft Edge, to the programme; and earlier this year boosted the maximum payouts available for selected software under the programme.
Now the company is going a step further with the launch of the Windows Bounty Program, a bug bounty programme which specifically targets all current versions of the Windows operating system - including those in the Windows Insider beta-test programme - for the first time. 'Since 2012, we have launched multiple bounties for various Windows features,' the company's security team explains in a blog post announcing the initiative. 'Security is always changing and we prioritise different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.'
Under the new programme, exploits against the Hyper-V hypervisor engine in Windows 10, Windows Server 2012, Windows Server 2012 R2, or the Windows Server Insider Preview beta release will fetch a payout between $5,000 and $250,000 depending on severity (between £3,834 and £191,680), while mitigation bypasses in Windows 10 - but not the Server variants - will fetch $500 to $200,000 (between £383 and £153,340). The company has also announced payouts for vulnerabilities in beta-release software available in the Slow Ring of the Windows Insider programme, including $500 to $30,000 (£383 to £23,001) for flaws in the Windows Defender Application Guard and $500 to $15,000 (£383 to £11,501) for flaws in Microsoft Edge or the underlying Windows operating system itself.
The latest information on all Microsoft's bug bounty programmes can be found on the company's official website.
February 24 2020 | 12:00