BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Microsoft Will Pay Bug Hunters For Vulnerabilities Found In Windows

This article is more than 6 years old.

After a long time of holding back, Microsoft will start paying money to security researchers for finding and reporting security flaws in its most widely used product: the Windows operating system.

Microsoft has run various vulnerability reward programs over the years, some of which are still ongoing, but none of them covered a product that even comes close to Windows in terms of code base size and potential attack surface.

Back in 2013, Microsoft launched two Windows-related bounty programs, but they didn't include rewards for individual security bugs. Instead, the company offered to pay up to $100,000 for novel attack techniques that could bypass the generic exploit mitigations built into the operating system and for new defenses that could block such exploitation techniques.

The Mitigation Bypass and Bounty for Defense programs still run today, but developing offensive and defensive techniques requires a lot of work and technical expertise, so it's not something that a large number of security researchers can or are willing to do. As a result, over the past four years, only 31 rewards have been paid for contributions submitted through the Mitigation Bypass program and only four of them reached $100,000.

The company also ran some bug bounty programs over the years for specific software products, including Internet Explorer, Microsoft Edge, the .NET Core and ASP.NET Core development frameworks and Microsoft Office. However, most of those programs were temporary and covered pre-release versions of products with the goal of finding and fixing security flaws until the final versions were released to customers.

The new Windows Bounty Program announced Wednesday is meant to cover vulnerabilities in all Windows features and components. It's not limited to a specific period of time and, according to the company, "will continue indefinitely at Microsoft’s discretion."

The target of the program is the Windows 10 Insider Preview version distributed through the so-called slow release ring. The Insider Preview builds are pre-release versions of Windows 10 that allow users to test new features before they're included in the major Windows updates released to customers every six months. There are two Insider Preview distribution "rings" that users can subscribe to -- fast and slow -- and they differ in release frequency.

The monetary rewards through the Windows Bounty Program will range from $500 to $15,000 based on the impact of the reported vulnerabilities: remote code execution, elevation of privilege, information disclosure, remote denial of service and tampering or spoofing.

On top of that, some Windows features and components will be treated by Microsoft as "focus areas" and finding bugs in them will result in bigger rewards. For example, the company is willing to pay between $5,000 and $250,000 for vulnerabilities found in Microsoft Hyper-V, the virtualization engine that's included in some editions of Windows 10, Windows Server 2012, Windows Server 2012 R2 and Windows Server Insider Preview.

In March, the organizers of the annual Pwn2Own hacking contest offered a $100,000 prize for any exploit that broke the isolation layer enforced by Microsoft Hyper-V or VMware Workstation. Two teams of researchers demonstrated virtual machine escapes for VMware Workstation, but no one hacked Microsoft Hyper-V. This suggests that finding high-risk vulnerabilities in Microsoft's virtualization technology is difficult, which could explain why the company is willing to pay up to $250,000 for them.

Another focus area for the new bounty program is the Windows Defender Application Guard (WDAG), a feature that uses Hyper-V to run Microsoft Edge in an isolated environment. WDAG vulnerabilities could earn researchers $500 to $30,000, while security flaws in Microsoft Edge will be rewarded with  $500 and $15,000.

Microsoft has also increased the maximum reward amount for its older Mitigation Bypass and Bounty for Defense programs from $100,000 to $200,000.

"Security is always changing and we prioritize different types of vulnerabilities at different points in time," the Microsoft Security Response Center team said in a blog post. "Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities."

Follow me on LinkedIn