Skip to main content

Microsoft follows Google and Facebook with $100,000 bug bounty programme

Microsoft has announced a new bug bounty programme, where it will pay out substantial sums of money for anyone who can find exploits in the latest version of Windows 8.1 Preview or help make it stronger than ever.

The software giant is offering a $100,000 (£65,000) prize if someone can bypass the security mitigations of the new Windows Blue build. It is also offering $50,000 (£32,000) if coders can come up with new defences in addition to a mitigation bypass entry. A further $11,000 (£7,000) is on offer if critical vulnerabilities in the preview version of Internet Explorer 11 are identified.

Hackers will have an unlimited amount of time to cash in on the first two bounties, but there is a 30-day time limit on the Internet Explorer one, which marks the first beta phase for the revamped web browser.

Microsoft is no stranger to bug bounties. It gave away a whopping $250,000 (£162,000) at the BlueHat hacker conference when someone was able to provide a solution to return-orientated programming (ROP) exploits in Windows.

Google, Mozilla, PayPal, Facebook and several other top technology firms have also employed bug bounties with great success.

“I think this is an intelligent move by Microsoft to tap talent from all over the world, especially in the security space where it’s hard to find that talent,” said Amol Sarwate, Director of Engineering at security firm Qualys. “It also encourages good research to land into the hands of vendors rather than being sold on the black market.”

Microsoft's new bounty works on a two-fold level. Firstly, it is a good vouch of its own confidence in the security of Windows Blue. Secondly, if it is proven over-confident, it can find and fix any problems that are identified, leading to a more secure product.

Microsoft will provide feedback and payment within two weeks of a successful bounty submission. It will share submissions on it Security Research and Defence blog and will also tweet updates.

The bounties go live on 26 June.