One day after announcing that it had paid researchers $28,000 for reporting a number of vulnerabilities in Internet Explorer 11, Microsoft revealed that it has written a much bigger check–this one for $100,000–to a researcher who has discovered a new attack technique that bypasses all of the exploit mitigations on the newest version of Windows.
James Forshaw, a researcher who also won a reward in the IE 11 bounty program this summer, submitted the technique to Microsoft, which validated it. The reward is part of the company’s bug bounty program that incentivizes researchers to look for novel attack techniques that can defeat the modern anti-exploit technologies such as DEP and ASLR implemented in Windows. The program was announced in June, but Forshaw’s technique is the first one to qualify for the $100,000 payout.
Microsoft officials said that one of the company’s security engineers had discovered a portion of the technique as well, but that didn’t prevent Forshaw from winning the bounty. Katie Moussouris, a senior security strategist at Microsoft, said that the company won’t disclose the details of Forshaw’s technique until engineers have had a chance to analyze it and implement defenses in Windows.
“Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.
“While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.”
The $100,000 reward program is an ongoing one through which Microsoft aims to spur researchers to look for new offensive techniques that can get past the state-of-the-art exploit mitigations. It’s the first time that Microsoft has offered monetary rewards for vulnerability or attack information, following the company’s successful Blue Hat Prize contest, which paid large rewards for novel defensive techniques. Moussouris, who spearheaded the work on both the Blue Hat Prize and the bug bounty program, said that the company was motivated to help find and protect users against large classes of attacks rather than individual bugs.
“We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James’ entry will help us improve our platform-wide defenses and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues,” she said.