Headline
New Bounty Program Details
Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program. It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community! These programs will allow us to reward great work by researchers and improve the security of our software – all to the benefit of our customers.
Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program. It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community! These programs will allow us to reward great work by researchers and improve the security of our software – all to the benefit of our customers. Also, we just like to analyze and fix cool bugs!
Mitigation Bypass Bounty Program Mitigation Bypass Bounty Program
Security features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) have made it increasingly difficult and costly to exploit vulnerabilities on modern systems. As a consequence of this, good exploitation techniques that work reliably when exploiting vulnerabilities on modern systems have become increasingly valuable. By learning about novel exploitation techniques, we can design better defenses that help protect our customers even when they are running software with an unknown vulnerability or a vulnerability that has not yet been addressed through a security update. This is why we are announcing the Mitigation Bypass Bounty program.
Anatomy of a good report
A high quality submission to the mitigation bypass bounty program will describe and demonstrate a truly novel method of exploiting one or more memory corruption vulnerability classes when all modern mitigations are in place (e.g. DEP, ASLR, SEHOP, and so on). For a submission to eligible, it must include a detailed whitepaper and a functioning exploit which demonstrates the exploitation technique against a real world remote code execution vulnerability. The technique must also meet a high bar: it must be generic and reliable, it must have reasonable requirements, it must apply to a high-risk user mode application domain, and it must be applicable to the latest version of our products. The complete set of requirements can be found in the official rules.
A good example of an exploitation technique that could have qualified for the mitigation bypass bounty program is JIT spraying. This technique was publicly described for the first time in 2010 by Dionysus Blazakis. It outlined a method of leveraging a Just-In-Time compiler to generate large amounts of partially controlled instructions that could enable alternative instruction streams if executed at a misaligned offset. As a result, an attacker can implicitly bypass DEP and ASLR and thereby more easily exploit many classes of memory corruption vulnerabilities. In response to this exploitation technique, multiple software vendors have released JIT compilers that include built-in mitigations for JIT spraying.
BlueHat Bonus for Defense
In addition to encouraging researchers to report novel exploitation techniques, we also want to encourage submissions to include recommendations on how an exploitation technique can be mitigated. Submissions that include a whitepaper that describes an effective, practical, and robust mitigation for a qualifying exploitation technique may qualify for up to an additional $50,000 USD bonus.
Internet Explorer 11 Preview Bug Bounty Program Internet Explorer 11 Preview Bug Bounty Program
The Security Research and Defense team worked with the core bounty program team to develop the bounty program bug bar for the Internet Explorer 11 Preview Bug Bounty:
Vulnerability Type
Crash dump
Proof of concept
Functioning exploit
Whitepaper
Sandbox escape
Base Payout Tier
RCE vulnerability
optional
required
required
required
required
Tier 0 Could exceed $11,000 USD*
optional
required
required
required
optional
optional
required
required
optional
optional
Tier 1 maximum payment $11,000 USD
optional
required
n/a
optional
optional
Tier 2 minimum payment $1,100 USD*
Important or higher severity design-level vulnerability
optional
required
Proof of Concept is sufficient
optional
optional
Eligible security bugs that also have privacy implications
optional
required
optional
optional
optional
ASLR Info Disclosure Vulnerability
optional
required
n/a
optional
n/a
Tier 3 minimum payment $500 USD*
Sandbox Escape Vulnerability
optional
required
optional
optional
required
More detail on the submission criteria is available in the official guidelines. One area worth highlighting is our additional focus on eligible security bugs that also have privacy implications. While these bugs would be considered as vulnerabilities in their own right, we thought it was important to highlight them and actively incentivize research that furthers our longstanding commitment to privacy.
Anatomy of a good report
The quality and completeness of a submission determines not only the payout but also the priority in which it will be reviewed. High quality submissions should include a detailed analysis of a vulnerability’s root cause in addition to a proof of concept that reliably reproduces the issue. This information helps us rapidly confirm your findings so that you can get paid!
The highest rewards will go to submissions that include a fully functioning exploit which concretely demonstrates that remote code execution is possible. This means the exploit must be capable of bypassing exploit mitigations such as DEP and ASLR. These submissions allow us to study the exploitation techniques that were used to achieve code execution and thereby identify opportunities for new exploit mitigation features. In this way, we can increase the cost and difficulty of exploiting entire classes of vulnerabilities rather than simply addressing a single vulnerability at a time.
Triage
The SRD team is also responsible for technical triage on issues as they come in. We’ve invited several security researchers on contract with Microsoft to help us in this effort. Our current roster of analysts is as follows:
Memory corruption issues
- Richard van Eeden
- Ken Johnson
- Michal Chmielewski
- Kostya Kortchinsky
- Matt Miller
Design level issues
- Mario Heiderich
- Manuel Caballero
- David Ross
Internet Explorer Engineering
- Jim Fox
- Wilson Guo
- Forbes Higman
- Prashant Singh
We are currently aiming to provide feedback and confirmation of payout within two weeks of a report.
Finally, please remember that the IE11 Preview Bug Bounty runs between June 26 and July 26, 2013, so make sure to get your reports wrapped up and submitted in time.
Next steps Next steps
We are incredibly excited to get these programs underway and are really looking forward to seeing the submissions that come in.
- Matt Miller and David Ross, SRD Bloggers
*Postings are provided “AS IS” with no warranties, and confer no rights.*