Just a few weeks after announcing its first bug bounty programs, Microsoft is already set to pay out a reward to a researcher from Google who discovered a vulnerability in Internet Explorer 11. Microsoft officials say that they have several other qualifying entries for the IE 11 reward program already, as well.
The reward program for IE 11 is the shorter of the two that Microsoft announced last month, and will run until July 26. It pays researchers up to $11,000 for new vulnerabilities in the browser, which currently is in preview release. The motivation for this program was to encourage researchers to report vulnerabilities before the browser goes to final release, something that Microsoft said it hasn’t been getting much of in recent years.
The first reward to emerge from this program will go to Ivan Fratric, a security engineer at Google who said on Twitter a few days after the start of the IE 11 program that he had found a potential memory corruption vulnerability in the browser. Although the maximum payout for the IE reward is $11,000, far below the market value for that kind of vulnerability, Microsoft officials said they’re not interested in being the highest bidder for bugs.
“Our goal was not to directly compete with the black (or even grey) market. Rather, our goal was to attract those researchers who are currently willing to sell in the white market, and get them to come forward directly to us a lot earlier,” said Katie Moussouris, senior security strategist at Microsoft.
“It’s not about offering the most money, but rather about putting attractive bounties out at times where there are few buyers (if any). For our products, that tends to be during the preview (or beta) period.
“Trying to be the highest bidder is a checkers move, and we’re playing chess.”
Although Microsoft may have the largest bank account of any of the buyers in the vulnerability market–black, white or otherwise–company officials know that there is a certain class of seller who won’t take Microsoft’s money, regardless of the amount. And for those who are willing to sell to Microsoft, the price may not be a determining factor.
In addition to the IE 11 reward program, Microsoft also is offering bounties of up to $100,000 for new offensive techniques that can bypass all of the existing exploit mitigations in the latest version of Windows, beginning with 8.1. The company will have judges at Black Hat later this month to evaluate entries live at the conference.
Image from Flickr photos of Philip Taylor.