October 07, 2013, 3:59 PM — Microsoft today announced that it had paid more than $28,000 in rewards to researchers for its first bug bounty program, a one-month special it ran during the summer for the preview version of Internet Explorer 11 (IE11).
While Microsoft trumpeted the amount, it was actually only $1,000 more than Google paid outside researchers last week for reporting flaws in the latest version of the search company's Chrome browser, and about 10% of what Google has forked over so far this year to security researchers.
"The amount of money really only matters if their offer was way off base from other programs," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage. "They [only] have to pay enough to entice people to report the bugs. On the other hand, those people who are more prone to sell their vulnerabilities on the black market are still going to do so."
Microsoft kicked off its IE11 Preview Bug Bounty program June 26, when it said it would pay researchers up to $11,000 for each IE11 vulnerability they found and reported through July 26.
At the launch of the bounty -- the first Microsoft initiative that paid researchers for each unknown vulnerability they reported -- Katie Moussouris, a senior security strategist lead with the company, said the IE11 program was designed to get researchers to file vulnerabilities during the browser's beta test run, a time when third-party bug brokers have declined to purchase flaws.
According to a page that spelled out the IE11 bug bounty results, Microsoft paid six researchers for reporting 15 bugs in the browser.
James Forshaw of Context Security walked off with $9,400 for submitting four IE11 flaws and pointing out some design vulnerabilities; Jose Antonio Vazquez Gonzalez of Yenteasy Security Research earned $5,500 for five bugs; Google engineers Ivan Fratric and Fermin J. Serna were awarded $1,100 and $500 for one vulnerability each; independent researcher Masato Kinugawa got $2,200 for a pair of bugs; and Peter Vreugdenhil of Exodus Intelligence reported one vulnerability.
Although Microsoft said that Vreugdenhil requested that his payment be withheld from publication, some quick arithmetic using Microsoft's claim of over $28,000 indicated he was paid approximately $10,000.
Both Forshaw and Vreugdenhil are former winners at the Pwn2Own hacking contest, one of each year's highest-profile challenges. Forshaw received $20,000 for hacking Java in March at the 2013 Pwn2Own, while Vreugdenhil was a $10,000 winner at the 2010 edition.
Fratric is also well known: In 2012, before he joined Google, he won second place and $50,000 in Microsoft's BlueHat Prize, a contest the Redmond, Wash. company launched to acquire new technologies to block return-oriented programming, or ROP, a technique often used to sidestep DEP, or data execution prevention, one of Windows' main anti-exploit technologies.
Storms rated the IE11 program a success, if only because, as Microsoft's first true bug bounty, it was a milestone. But he also characterized the quantity of reported vulnerabilities as "a healthy number" in an interview via instant message today.
"If you consider the number of CVEs for IE patched on any given Patch Tuesday, this lot probably represents one or two months of IE bulletins," Storm said.
Microsoft will release the final of IE11 for Windows 8 and Windows RT on Oct. 17, when it offers the Windows 8.1 update to current users. IE11 on the more popular Windows 7 is to ship some time this fall.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.