Microsoft pays $100,000 Bounty for Security Exploit Discovery
Microsoft has doled out a $100,000 bounty for pointing out security exploits and flaws in its Windows 8.1 operating system. The cash is going to James Forshaw, head of vulnerability research at Context Information Security in UK.
James Forshaw Receives $100,000
Forshaw identified a new ‘exploitation technique’ in a preview version of Microsoft’s upcoming Windows 8.1 release. According to Microsoft, Forshaw’s discovery would help the company ‘develop defences against entire classes of attack’.
“While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defences for future versions of our products because we learned about this technique and its variants.” – Katie Moussouris, Senior Security strategist, Microsoft.
The $100,000 amount is among the highest ever paid by a tech company, and is the for Microsoft. James Forshaw says he spent about 3 weeks working on finding the exploits before he finally zeroed in on the one he sent to Microsoft. Forshaw has spent 10 years in his industry and has a rich history of winning bounties. He had previously won another bounty – $9400 – for discovering a vulnerability in Internet Explorer 11. He was also given a large amount from HP for winning its ‘Pwn2Own’ contest.
“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs. I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful.” – James Forshaw
Paying out bounties for discovering security loopholes in systems isn’t a new concept at all. Many firms such as Apple and Facebook even have a hall of fame recognizing hackers who have helped them strengthen security over their services. Facebook is known to pay bounties for security exploits.
Yahoo recently came under fire from the online community after it awarded a $25 voucher to a security researcher who pointed out 3 flaws in the company’s security system.
Microsoft is currently taking pre-orders for Windows 8.1 – it officially releases on October 18th. The company has also released an update to Internet Explorer 11 after patching a major vulnerability that was recently discovered. Users are advised to upgrade immediately to the new update.