Microsoft Hands Out $100k For Windows Security Bypass

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Researcher takes home over $100,000 for bypass and other bugs

Microsoft has paid a researcher $100,000 (£62k)  for his method of bypassing the security of the Windows operating system.

James Forshaw, of Context Information Security, was the recipient, although Microsoft said it couldn’t go into detail on the bypass techniques he used until it has addressed them.

Security vulnerability - Shutterstock - FuzzBonesThat means, despite a slew of fixes being issued in yesterday’s Patch Tuesday package, the flaws used by Forshaw remain exploitable.

Internet Explorer hack

Forshaw’s reward is part of the recently-launched Mitigation Bypass Bounty programme, which rewards proof of serious exploits rather than just bugs. That operates alongside Microsoft’s traditional bug bounty.

“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack,” said Katie Moussouris, senior security strategist lead at Microsoft Trustworthy Computing, in a blog post.

“This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”

Microsoft had only just announced more than $28,000 of rewards as part of its first bug bounty programme.

Peter Vreugdenhil, of Exodus Intelligence, which formed out of HP’s Zero Day Initiative, received the most from that lot with a $10,000 prize. Forshaw had already won $9,400 for his bug finds.

Internet companies have been ramping up their bug bounty efforts in recent months. Yahoo announced its own version recently, which will award prizes of up to $15,000, after it was slammed for handing out vouchers for company merchandise when bug reports came in.

Sorry, there’s no cash reward, but still  Try our security quiz!