June 19, 2013, 1:03 PM — Microsoft will pay security researchers for finding and reporting vulnerabilities in the preview version of its Internet Explorer 11 (IE 11) browser, for finding novel techniques to bypass exploit mitigations present in Windows 8.1 or later versions and for coming up with new ideas to defend against exploits.
The monetary rewards will be paid through three bounty programs the company launched Wednesday.
The payouts will range between US$500 and $11,000 for vulnerabilities found in IE 11 Preview, depending on the type of vulnerability and quality of the report, and up to $100,000 for mitigation bypasses in Windows 8.1 and later versions.
There is also a defense bonus of up to $50,000, the BlueHat Bonus for Defense. Participants must submit a technical paper that describes an idea that could be used to block an exploitation technique that bypasses the latest Windows platform mitigations. The reward will depend on the quality and uniqueness of the idea, Microsoft said in the program's guidelines.
In order to be eligible for the Mitigation Bypass Bounty program, submissions will have to include an exploit for a remote code execution (RCE) vulnerability in a user mode application that uses a novel way to bypass Windows platform stack corruption, heap corruption and code execution mitigations.
These mitigations are discussed in a Microsoft white paper called Mitigating Software Vulnerabilities and include DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) among others.
The new exploitation method must not be one that Microsoft already knows or that has been described in prior works and the submission must also include a white paper explaining the method.
The mitigation bypass and defense bonus programs will run on an ongoing basis starting with Windows 8.1 Preview version, which is expected to be released this month at Microsoft's Build developers conference.
However, the IE 11 Preview bug bounty program will only run for 30 days, between June 26 and July 26. The goal of this particular program is to find and patch vulnerabilities at the best possible time, during the beta period, said Mike Reavey, the senior director of the Microsoft Security Response Center (MSRC).
Google and Mozilla also have bug bounty programs for their respective browsers, Chrome and Firefox, but those programs have been running on an ongoing basis for several years.
The IE 11 program will reward individual vulnerability reports with different payouts depending on the criticality of the reported issue and quality of the report.