Forgot your password?
typodupeerror
Microsoft Bug Internet Explorer Security

Microsoft Hands Out $28k In IE11 Bug Bounty Program 57

Posted by Unknown Lamer
from the freedom-not-included dept.
hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."
This discussion has been archived. No new comments can be posted.

Microsoft Hands Out $28k In IE11 Bug Bounty Program

Comments Filter:
  • by faragon (789704) on Tuesday October 08, 2013 @03:11AM (#45067325) Homepage
    So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.
    • by Anonymous Coward

      This -> "miserable". What they pay out for a bug is not even a weeks salary for the marketing guys. Why help a "megacorp" when the reward is a pittance? If I thought it was worth it documenting all the bugs I find in MS products (and there are a few a week; and I am NOT a security researcher. Its just shit I stumble upon.) I would just post them online, screw the money.

      • by Anonymous Coward on Tuesday October 08, 2013 @03:56AM (#45067503)

        You *should* post them online.

        If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.

        If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.

        • by ruir (2709173)
          So you are saying Microsoft needs an exploit and that they would be able to program any backdoor they wanted. Does it even makes sense?
    • by Anonymous Coward
      I'm guessing at least some of those would be otherwise doing this for free, now they get both recognition and some money. Depending on how long it took to make their findings it might not even be a miserable amount (then again, it might).
    • They only were offering bounties for two particular things in Windows: Internet Explorer 11 and the new anti-exploit mitigations in Windows 8.1. Even though there are plenty of other security targets in Windows, only those two things would get you money.

      I found a bug in Windows's Secure Boot code that I'm using to jailbreak Windows RT. I might as well; it's not like they pay bug bounties for Secure Boot exploits.

      The exploit could be used to run Android on Surface RT with a kexec-like driver implementation

    • It's a win-win, helps microsoft and helps the researchers. Nothing wrong with that. There's something to be said for getting people far removed from the project and company looking at it too, they'll catch things that Microsoft employees just never would because of different perspectives and processes and goals.
      • by Nerdfest (867930)

        It's also a win for all of those people who are stuck with Windows (or at least think they are). It's staill too dangerous to browse the web without protection in Windows.

      • by synapse7 (1075571)
        The problem with this is spammers may offer more than what MS is offering.
    • So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

      Well, it's a free market, auction it to the highest bidder. :-)

    • Is it miserable to the researchers? Whether they got $9400 or $500, surely they don't mind the cash. If you want MSFT to pay you $100,000 to find bugs, then apply for a QA position at MSFT and negotiate a $100k salary.

      If I had the skills of a security researcher, I'd look at this as a way to make a few easy bucks.

    • by Anonymous Coward

      Agree, its f*cking cheap and typical MS (cut corners in all the wrong places, always), why not adopt properly documented reward system like Google? http://www.google.co.uk/about/appsecurity/reward-program/

    • That is a LOT of bug detectors who got 1 dollar from MS.

    • by Shavano (2541114)

      They're doing their software testing on the cheap, having users find the defects in their code for an amount of money that's not worth the time of software professionals. That sucks, but it's better than what they and everybody else used to do: release shamefully buggy software as a public beta test (whether or not they called it that) and expect users to report bugs for no compensation at all.

      But look at it this way:

      So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

      If IE11 has the expected number of bugs, they will still spend almost as much on testing

    • My thoughts exactly. The entire bug bounty they paid for one of their flagship products is a fraction what my small business spends on Microsoft licencing per year. If I was any of the above people I'd just sell my findings to the malware companies.
    • First time they have ever done this just shows I think all companies are going to have to start offering this unless they want there exploits sold on the black market. If java offered that much a bug they would have less problems.
  • by tuppe666 (904118) on Tuesday October 08, 2013 @03:30AM (#45067413)

    http://www.w3counter.com/trends [w3counter.com]
    http://gs.statcounter.com/ [statcounter.com]
    http://marketshare.hitslink.com/browser-market-share.aspx?qprid=1&qpcustomb=0 [hitslink.com]

    There is an unexplained trend upwards in Internet Explorer

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      It really isn't that hard to explain, while the crowd here hate anything MS, ie10 and ie11 are pretty decent, especially when browsers like firefox have gone downhill and people are starting to distrust the big bad google even more with spybrowser chrome. What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.
      • Love is the Answer (Score:3, Insightful)

        by tuppe666 (904118)

        ...the crowd here hate anything MS...

        If your answer includes "Microsoft is Hated" as a reason for anything you are right to not register here. Ignoring the fact that you sound like a sulky 16 year old girl. The mix here is far from being Linux and Apple centric. Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...but that would not stop them using IE. If it wants to be loved, producing decent products would be a g

      • by qaz123 (2841887)
        Font rendering in IE11 on Windows 8 is poor. I'd like to use IE but because of this I can't
      • by Lennie (16154)

        No, new Windows installations only come with one browser.

        If the browser works good enough, people don't install an other browser.

        That is what is going on.

  • Microsoft:
    3 months ending 2013-06-30:
    Revenue: 19.896 Billion USD
    Cost of goods/revenue sold: 5.602 Billion USD
    Gross Profit: 14.294 Billion USD
    Source:
    https://www.google.com/finance?q=NASDAQ:MSFT&fstype=ii&ei=wcBTUtihB8z2qQHI8AE [google.com]

    Out of their costs of goods sold, these researchers got 0.00049982%.
    Me thinks their contribution to M$ is more than a few 10,000ths of 1%. They did what the 5.6 billion spent on internal people failed to do. And M$ doesn't have to pay their healthcare.

    The cost of the

  • That's what you get when management shit-for-brains get to decide what buzzwords are relevant in a job application. Framework familiarity > actual skills. Coincidentally the reason I left teh biz.

"Just the facts, Ma'am" -- Joe Friday

Working...