The issue was uncovered by James Forshaw, head of of vulnerability research at Context Information Security, and the money was awarded under the firm's Mitigation Bypass Bounty scheme.
Forshaw previously uncovered design bugs in Internet Explorer 11 (IE11), so this new reward takes his earnings from Microsoft’s bounty programme to a total of $109,400. The majority of the award will go to Context, although Forshaw is likely to receive a sizeable bonus for carrying out the research.
Writing in a blog post Katie Moussouris, senior security strategist at Microsoft Security Response Center, said the firm would not be detailing the issue he had uncovered until it was addressed.
However, she said the scale of the issue uncovered meant that it would be able to vastly improve security across its products, and this was why the firm had awarded the highest possible sum to Forshaw.
“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defences against entire classes of attack," Moussouris said.
“This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
Moussouris added that a researcher at Microsoft, Thomas Garnier, had also “found a variant of this class of attack technique” but the firm acknowledged that Forshaw’s submission was of a more detailed and thorough nature and so deserved the reward.
Commenting on the bounty, Forshaw said Microsoft’s approach to rewarding security research helped justify the type of work he was doing.
“I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence,” he said.
“It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.”
The huge sum Microsoft is paying out is in stark contrast to recent outrage aimed at Yahoo after it was found to have only paid $12.50 in gift vouchers to researchers for uncovering flaws.
It has since changed its policies to put a more official and generous reward scheme in place. Facebook also faced criticism for its handling of a security flaw find by an Indian researcher, although $12,500 was eventually paid out.
No comments:
Post a Comment