Microsoft raises the bar for Bug Bounty programs

Microsoft has revised its Bug Bounty schemes with improved rewards, bonuses and the addition of new valid programs.
Written by Charlie Osborne, Contributing Writer

Microsoft is using Black Hat as a springboard to unveil a new, revised approach to bug bounties.

With the launch of Microsoft's latest operating system, the race is on to discover overlooked bugs and security flaws which could place users at risk. Microsoft's Windows operating system, alongside Flash and Java, is a constant target for cyberattackers due to the popularity and widespread use of the system.

Now Windows 10 is available, it is important to entice as many researchers as possible to submit vulnerabilities before they become a widespread security challenge or are released into the underground markets for sale.

Jason Shirk, Security Architect at Microsoft, announced changes to the Redmond giant's bug bounty program on Wednesday alongside demos at the Black Hat conference in Las Vegas. In a blog post, Shirk said Microsoft's Bug Bounty programs have been revised with a number of changes.

Rewards for the Bounty for Defense, a reward for defensive ideas that accompany a qualifying Mitigation Bypass submission, have been raised from $50,000 to $100,000. Microsoft says this alteration "brings defense up on part with offense," of which the tech giant already offers the lure of up to $100,000 for "truly novel" exploits against the Windows operating system.

"Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would," Microsoft says.

The tech giant believes the "novel defender" should be rewarded "equally" for their research.

See also: Bug bounties: 'Buy what you want'

Microsoft is also placing more emphasis on combating authentication security flaws. If a researcher finds an authentication vulnerability and submits it through the Online Services Bug Bounty program within the "bonus" period of August 5 to October 5, 2015, their rewards will be doubled.

In other words, Microsoft Account (MSA) and Azure Active Directory (AAD) authentication vulnerabilities discovered within the two-month period can pay up to $30,000, rather than Microsoft's standard $500 -- $15,000 reward.

Finally, the Redmond giant is adding RemoteApp to the list of domains covered in the Online Services Bug Bounty, which is used to run Windows apps hosted on Azure on a variety of devices.

This week, Microsoft rolled out its first package of non-security-related updates and fixes for Windows 10. Officially known as KB3081424, although dubbed "Service Release 1," the updates are delivered via Windows Update and includes functionality and reliability fixes.

Cybersecurity reads which belong on every bookshelf

Read on: Top picks

In pictures:

Editorial standards