As part of its first-ever bounty program, Microsoft has paid out $28,000 to a small group of researchers who identified and reported vulnerabilities in Internet Explorer 11. The IE 11 bounty program only ran for one month during the summer, but it attracted a number of submissions from well-known researchers.
The Microsoft bug bounty program for IE 11 began in June and ended in late July, during the preview period for the browser. Researchers who reported vulnerabilities in the latest version of the company’s browser had the opportunity to earn as much as $11,000. None of the researchers who submitted bugs during the IE 11 window came close to a reward at that level, with the highest payment being $9,400 to James Forshaw for four vulnerabilities discovered in IE and a bonus for finding some IE design vulnerabilities.
Microsoft’s reward program was announced in June after many years of speculation by security researchers about the company’s intentions. Microsoft officials had said in the past that the company didn’t need to pay rewards for vulnerabilities because many researchers came directly to Microsoft with details of new vulnerabilities. That state of affairs changed over the course of the last year or so, leading Microsoft to establish its own take on the bug bounty programs run by many other software vendors.
Unlike Google, PayPal and others, Microsoft’s program–outside of the IE 11 reward–is mainly geared toward paying for innovative attack techniques. The company is offering as much as $100,000 for offensive techniques that are capable of bypassing the latest exploit mitigation technologies on the newest version of Windows. That program is still ongoing.
Among the other researchers who received rewards from Microsoft in the IE 11 program are Peter Vreugdenhill of Exploit Intelligence, Fermin J. Serna of Google, Masato Kinugawa, Ivan Fratric of Google and Jose Antonio Vazquez Gonzalez of Yenteasy Security Research.
The $28,000 Microsoft paid during the IE 11 program isn’t a big number in the grand scheme of things, particularly when compared to the tens of thousands of dollars the Google pays out on a regular basis for Chrome bugs. But the researchers who submitted bugs to the program are a good indication that the security community is taking Microsoft’s program seriously, despite the relatively low payments available.
Image from Flickr photos of Damian Gadal.