Microsoft has announced that it will
pay up to $100,000 to researchers who present the company with
previously unknown security flaws.
Redmond said that its bounty system would
be divided into three operations, which will also address defense
techniques and browser exploits. The three campaigns will offer rewards
of $100,000, $50,000 and $11,000.
The most lucrative category will be in
the disclosure of zero-day flaws and attack techniques in Windows. The
six-figure reward will be offered to researchers who can present
critical vulnerabilities in the latest patched version of Windows.
The company will offer $50,000 to
researchers who can bring the company techniques for mitigating attacks
on critical security vulnerabilities. Both programmes will be ongoing
efforts for the company.
A third programme will run for a limited
time and will ask researchers to bring forward flaws in the latest
version of Windows. That contest will run from 26 June to 26 July and
will carry a $11,000 payout.
“They will also help to fill gaps
in the current marketplace and enhance our relationships within this
invaluable community,” Microsoft security response center general
manager Mike Reavey said of the programmes. “All while making our
products more secure for our customers.”
The move represents an about face for a
Microsoft group that was once an outspoken opponent of paying
researchers for bug reports. In 2007 the firm said that bounty programmes were “not healthy” for the security community.
Once controversial, vulnerability payment
programmes have become established as an effective way to connect
security researchers with vendors and reduce the prevalence of zero day
flaw disclosures. Platforms such as HP's ZDI purchase then
confidentially report flaws to vendors, while Google has opted to
directly pay out rewards to researchers who report Chrome
vulnerabilities.
No comments:
Post a Comment