Microsoft Hands Out $28k In IE11 Bug Bounty Program 57
hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."
It is just QA cost saving (Score:5, Insightful)
Re: (Score:1)
This -> "miserable". What they pay out for a bug is not even a weeks salary for the marketing guys. Why help a "megacorp" when the reward is a pittance? If I thought it was worth it documenting all the bugs I find in MS products (and there are a few a week; and I am NOT a security researcher. Its just shit I stumble upon.) I would just post them online, screw the money.
Re:It is just QA cost saving (Score:5, Insightful)
You *should* post them online.
If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.
If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.
Re: (Score:2)
Re: (Score:1)
And it's only for Internet Explorer and mitigation (Score:3)
They only were offering bounties for two particular things in Windows: Internet Explorer 11 and the new anti-exploit mitigations in Windows 8.1. Even though there are plenty of other security targets in Windows, only those two things would get you money.
I found a bug in Windows's Secure Boot code that I'm using to jailbreak Windows RT. I might as well; it's not like they pay bug bounties for Secure Boot exploits.
The exploit could be used to run Android on Surface RT with a kexec-like driver implementation
Re: (Score:3)
Re: (Score:2)
It's also a win for all of those people who are stuck with Windows (or at least think they are). It's staill too dangerous to browse the web without protection in Windows.
Re: (Score:2)
Re: (Score:3)
So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.
Well, it's a free market, auction it to the highest bidder. :-)
Re: (Score:2)
Is it miserable to the researchers? Whether they got $9400 or $500, surely they don't mind the cash. If you want MSFT to pay you $100,000 to find bugs, then apply for a QA position at MSFT and negotiate a $100k salary.
If I had the skills of a security researcher, I'd look at this as a way to make a few easy bucks.
Re: (Score:1)
Agree, its f*cking cheap and typical MS (cut corners in all the wrong places, always), why not adopt properly documented reward system like Google? http://www.google.co.uk/about/appsecurity/reward-program/
To be fair (Score:2)
That is a LOT of bug detectors who got 1 dollar from MS.
Re: (Score:2)
They're doing their software testing on the cheap, having users find the defects in their code for an amount of money that's not worth the time of software professionals. That sucks, but it's better than what they and everybody else used to do: release shamefully buggy software as a public beta test (whether or not they called it that) and expect users to report bugs for no compensation at all.
But look at it this way:
So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.
If IE11 has the expected number of bugs, they will still spend almost as much on testing
Re: It is just QA cost saving (Score:2)
Re: (Score:1)
Internet Explorer Trending UP (Score:3)
http://www.w3counter.com/trends [w3counter.com]
http://gs.statcounter.com/ [statcounter.com]
http://marketshare.hitslink.com/browser-market-share.aspx?qprid=1&qpcustomb=0 [hitslink.com]
There is an unexplained trend upwards in Internet Explorer
Re: (Score:2, Interesting)
Love is the Answer (Score:3, Insightful)
...the crowd here hate anything MS...
If your answer includes "Microsoft is Hated" as a reason for anything you are right to not register here. Ignoring the fact that you sound like a sulky 16 year old girl. The mix here is far from being Linux and Apple centric. Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...but that would not stop them using IE. If it wants to be loved, producing decent products would be a g
Why do I bother (Score:2)
trends to visibly change around the release date of a browser is naive at best.
That is not what I said. My point is that if a better(sic) browser was the reason for the years of Internet Explorer market decrease ironically despite vastly better browsers on the market, but it to happen it happen thirteen months after launch is inconceivable...people do not suddenly start getting old products without some catalyst for change, as even you claim the launch of the new version wasn't one(You go further claiming it couldn't be)
The bottom line is the catalyst for change is somewhere else. I suspect that Internet Explorer sudden change of fortune, is a side effect of another change.
Independent Measures (Score:3)
http://html5test.com/results/desktop.html [html5test.com]
Chrome score 463
Firefox score 414
Internet Explorer 10 scores 320(Internet explorer 8 XP users trapped on scores 42)
http://www.tomshardware.com/reviews/chrome-27-firefox-21-opera-next,3534-12.html [tomshardware.com] which benchmarks the various browsers extensively gives
Firefox score 326
Chrome score of 326
Internet Explorer 182
Re: (Score:2)
Those numbers are nice and all but I just ran a tool that checks whether or not my browsers are Internet Explorer.
The only browser that passed the Internet Explorer test was Internet Explorer 10.
I also tested Pale Moon and Comodo Dragon and they both got 0% on the "Is my browser Internet Explorer" test.
Re: (Score:2)
You really need to work on your delivery.
And the "Is my browser Internet Explorer" test replied:
Internet Explorer - but I hardly know 'er
Black is White (Score:4, Insightful)
Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.
Except its not even remotely true. Google move from strength to strength, and Apple are immune to criticism. Microsoft is surrounded by failure both in its traditional "monopoly" market windows and its new markets "products and services". Ballmer got stabbed in the front by Bill "my charity is better than yours" Gates "I don't have to pay tax". Its Xbone launch was anti-gamer.
Want Proof....http://www.interbrand.com/en/best-global-brands/2013/Best-Global-Brands-2013.aspx Apple is considered the top brand...Google the top riser.(Microsoft did rise a smigin though ;)
Propeganda (Score:2)
observed Linux zealots and so-called "advocates" lying, spreading FUD
http://en.wikipedia.org/wiki/Criticism_of_Microsoft [wikipedia.org] list of criticisms, heavily documented.
Re: (Score:1)
Re: (Score:2)
It can't possibly be worse than Chrome which has dreadful font rendering on Windows.
Re: (Score:2)
Correction: dreadful *Web*-font rendering. Normal system fonts are quite ok.
Re: (Score:2)
No, new Windows installations only come with one browser.
If the browser works good enough, people don't install an other browser.
That is what is going on.
Firefox off topic. (Score:2)
can't even watch a fucking youtube video...chrome and ie for the win.
Ironically changes come at the expense of Chrome. Ignoring the fact that most users manage quite nicely to play videos on youtube, and it is unlikely that Google would not ensure that Firefox works well with youtube. Youtube has a HTML5 trial http://www.youtube.com/html5 [youtube.com] , and it works great. In other news the firefox team is working towards a Flash replacement "Shumway" http://www.areweflashyet.com/shumway/ [areweflashyet.com]
It looks like youtube is a reason for using Firefox not against, As for your hardware flash is fast e
Re: (Score:2)
And they receive how much money from the NSA for providing them with details of zero-day exploits?
Are they still providing NSA with zero day exploits BTW? I assume the answer is yes.
It's more likely that the NSA pays VUPEN rather than Microsoft. Paying Microsoft directly would have blowback.
Depends on the amount (Score:1)
It's unlikely to be cash, but gee, contracts. Big fat NSA surveillance equipment contracts. I can well believe those are the reward for the 0-day exploits.
I'm reminded of QWEST CEO, the only telco to resists the NSA illegal demands... and was prosecuted for insider trading and suspects it was reprisal.
https://www.techdirt.com/articles/20130927/14413024680/one-telco-exec-who-resisted-nsa-has-been-released-4-years-jail.shtml
However, one of the things he mentions is that as soon as he resisted the NSA's demand
prying money from their cold dead hands (Score:2)
Microsoft:
3 months ending 2013-06-30:
Revenue: 19.896 Billion USD
Cost of goods/revenue sold: 5.602 Billion USD
Gross Profit: 14.294 Billion USD
Source:
https://www.google.com/finance?q=NASDAQ:MSFT&fstype=ii&ei=wcBTUtihB8z2qQHI8AE [google.com]
Out of their costs of goods sold, these researchers got 0.00049982%.
Me thinks their contribution to M$ is more than a few 10,000ths of 1%. They did what the 5.6 billion spent on internal people failed to do. And M$ doesn't have to pay their healthcare.
The cost of the
The bloody industry is crap (Score:1)