Attention Bounty Hunters – The Ramp Up to Black Hat

We’re three weeks into our new world of bounties for Microsoft products now, and as the clock ticks down on one program, we’re prepping for some live excitement with one of the others.

First, the Internet Explorer 11 Preview Bounty is entering its final 10 days; the bounty period for that program closes on the 26th of July. We’ll gladly accept submissions of vulnerabilities found after that, but the bug bounty for individual IE vulnerabilities will be over. The two platform-wide bounty programs will continue to be available and ready to pay out up to $100,000 for a truly novel exploitation technique, and up to a $50,000 bonus for defense.

So far, we’ve received many submissions and were able to notify the first bounty recipient last week. We have several more that have qualified for bounties and we’re excited to see so many great submissions. Other finders are in the process of being notified via secure [at] microsoft [dot] com. After the close of the bounty period, we’ll post an acknowledgement page saluting all those finders who wish to be publicly identified. Meanwhile, our triage team is bracing for a last rush of vulnerability submissions as we approach the final days of the IE-specific bounty program; we’re keeping them fed and hydrated as best we can.

For those of you interested in examples of what the judges are looking for when it comes to awarding the bounties, here they are, from the judges themselves. To qualify for the highest bounties, we look at the severity of the issue, as well as the overall quality of the submission to determine the bounty amount.

Memory Corruption: Most memory corruption vulnerabilities that are found in Internet Explorer have the potential to enable remote code execution and therefore are likely to qualify for the $1,100 bounty. For example, the memory corruption vulnerabilities that were addressed in MS13-055 represent the types of vulnerabilities that would qualify (e.g. CVE-2013-3115).

To qualify for the $11,000 bounty, we must receive a submission that proves that a vulnerability is exploitable for remote code execution. This means the submission must include a functioning exploit that is able to bypass all relevant mitigations and run arbitrary code (such as executing calc.exe). In addition, the submission must include a whitepaper that describes the root cause of the vulnerability. If the technique used to exploit the vulnerability is truly novel, then we would award the $100,000 Mitigation Bypass Bounty in addition to the $11,000 IE 11 Preview Bug Bounty.

Design Issues: We’ve been receiving a lot of submissions that, while extremely clever in their own right, do not meet the bar as an “Important or higher severity design-level vulnerability.” In order to qualify for a design-level bounty, an issue will need to match up to what we’ve historically ranked at these levels. Execution of arbitrary code qualifies, of course, but in the design-level space these issues aren’t as common.

More common are the Important-severity information disclosure bugs we tend to call “Cross Domain,” or in modern industry parlance, “Universal XSS” or “Same Origin Policy Bypass” bugs. These are issues where a malicious page can, generally without caveat, reach out into a different security context and grab information it should not have access to. A good example would be CVE-2008-2947, fixed in MS08-058.

Of course, one place to seek some of the best and brightest security researchers at the end of July is in Las Vegas, at Black Hat – and what better place for the spectacle of live pwnage? That’s why on 31 July and 1 August, at around noon each day, we’ll be judging live mitigation bypass attempts at the Microsoft booth. Even if you don’t have a new exploitation technique to try out yourself, stop by for what I call the “exploit art walk” – because those who have the skills to bypass the latest platform defenses are true artists, and a rare breed.

If you think you’ve got what it takes, show up at the booth – we’ll have the guidelines posted, or you can read them at that link – or reach out to me via Twitter to let us know your plans.

What happens in Vegas could earn you $100,000. See you there.

Katie Moussouris
Senior Security Strategist, MSRC
https://twitter.com/k8em0 (that’s a zero)