Security
Headlines
HeadlinesLatestCVEs

Headline

Bounty News Update: Bountiful Harvest

Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs. When we launched our bounty programs in June this year, we had a few strategic goals in mind:

msrc-blog
#vulnerability#microsoft

Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs. When we launched our bounty programs in June this year, we had a few strategic goals in mind:

  • Increase the win-win between the hacker/security researcher community and Microsoft’s customers, and build relationships with new researchers in the process
  • Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period
  • Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack

Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I’ll list them all here. You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.

On behalf of over a billion customers, THANK YOU! James Forshaw
Ivan Fratric
Jose Antonio Vazquez Gonzalez
Masato Kinugawa
Fermin J. Serna
Peter Vreugdenhil

I am also thrilled to highlight a few of our bounty program results:

Overall:

We’ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.

IE11 Preview Bug Bounty:

During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer

As the leaves turn colors and the temperatures cool off, I’m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It’s been a great first three months of Microsoft’s bounty programs, and we’re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.

Stay tuned for more news coming soon!

Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center
https://twitter.com/k8em0 (that’s a zero)

msrc-blog: Latest News

Securing AI and Cloud with the Zero Day Quest