Framing the move as part of an ongoing commitment to makings its products as secure as possible, Microsoft this week announced that it will now pay hackers for reporting certain classes of vulnerabilities in its software products and services. That’s right: Microsoft has created a set of bug bounty programs.
“Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques,” the firm’s “BlueHat” team writes in a post to the Microsoft Security Response Center blog. “Our new bounty programs add fresh depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.”
The following bug bounty programs will launch June 26, which coincides with the start of the Black Hat 2013 security conference in Las Vegas:
Mitigation Bypass Bounty. This ongoing bounty will result in payments of up to $100,000 (USD) for “truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview),” Microsoft says.
BlueHat Bonus for Defense. This ongoing bounty will result in payments of up to $50,000 for “defensive ideas that accompany a qualifying Mitigation Bypass submission.”
Internet Explorer 11 Preview Bug Bounty. In a bounty that is limited to 30 days (June 26 to July 26, 2013), Microsoft will pay up to $11,000 for “critical vulnerabilities that affect Internet Explorer (IE) 11 Preview on the latest version of Windows (Windows 8.1 Preview).”
For more details about the bounties, and information about submitting reports to Microsoft, check out New Bounty Program Details on Microsoft’s Security Research & Defense blog.