Microsoft has paid out its second $100,000 bug bounty since launching its reward program in mid-2013. The award brings total payouts for the program to $253,000 in under a year.
The latest recipient is Yu Yang, a researcher with NSFOCUS Security Labs. He won the Mitigation Bypass bounty, which pays up to $100,000 for qualifying submissions from security researchers who discover “truly novel exploitation techniques” against protections built into the latest version of the Windows 8 operating system.
Microsoft does not release details of the vulnerabilities, let alone the exploits, discovered under the program until a patch is issued.
Last autumn, the company expanded the Mitigation Bypass Bounty to also pay out for responders and forensic experts who discover and submit previously unknown techniques that are in the wild – in other words, exploits the researchers have not created themselves.
“We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive,” said Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing.
Black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it – zero-days, in other words. Thus the bounty programs are designed to “change the dynamics and the economics of the current vulnerability market,” she said, offering payouts for bugs when other buyers typically are not buying them (e.g., during the preview/beta period).
Last year, James Forshaw, head of vulnerability research at UK-based Context Information Security, became the first to snag the $100,000 Mitigation Bypass Bounty, for a vulnerability that he discovered and developed an exploit for.
“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs,” Forshaw said at the time, in a Microsoft blog. “I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offense to defense.”
So far, Yang has been rather quiet about the reward and was not tapped by Microsoft to make a statement. He did tweet, “In order to express my thanks for your congratulation, maybe I should submit more. :-)”