Members
  • Total Members: 12809
  • Latest: Dorel
Stats
  • Total Posts: 28478
  • Total Topics: 8238
  • Online Today: 797
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Microsoft offer $250,000 to security researchers  (Read 2546 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Microsoft offer $250,000 to security researchers
« on: 05. August 2011., 08:09:13 »


Microsoft is offering more than $250,000 to researchers who develop new security defenses to protect Windows users against attacks that exploit software bugs.

Microsoft's Blue Hat Prize: http://www.microsoft.com/security/bluehatprize/ announced on Wednesday at the Black Hat security conference will pay $200,000 for the best “novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities.” The two runners up will receive $50,000 and a MSDN Universal subscription valued at $10,000, respectively.

“The Microsoft BlueHat Prize contest is designed to generate new ideas for defensive approaches to support computer security,” the software maker's announcement stated. “As part of our commitment to a more secure computing experience, we hope to inspire security researchers to develop innovative solutions intended to address serious security threats.”

Microsoft over the years has added an alphabet soup of protections to its software that are designed to mitigate the damage that can be done when hackers discover buffer overflows and other bugs that inevitably afflict any complex piece of code. ASLR, or address space layout randomization; DEP, or data execution prevention; SEHOP, or structured exception handling overwrite protection; and SafeSeh are just some of the examples.

The protections aren't intended to prevent bugs, but rather to prevent attackers from exploiting them to steal data or remotely execute malicious code on vulnerable systems.

“This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology,” Matt Thomlinson, general manager of Microsoft’s Trustworthy Computing Group, wrote here: http://blogs.technet.com/b/msrc/archive/2011/07/27/bluehat.aspx "In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations."

Wednesday's announcement came a week after Facebook joined Mozilla and Google in paying cash bounties to researchers who privately report security vulnerabilities in their software and services: http://scforum.info/index.php/board,21.0.html Microsoft continues to steadfastly refuse to reimburse bug discoverers for the time and expertise they provide in helping stamp out bugs on the Windows platform.

Contest rules are here: http://www.microsoft.com/security/bluehatprize/rules.aspx

(ElReg)

Samker's Computer Forum - SCforum.info

Microsoft offer $250,000 to security researchers
« on: 05. August 2011., 08:09:13 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Microsoft hands out $28K to bug-hunters
« Reply #1 on: 11. October 2013., 18:09:58 »
Microsoft hands out $28K to bug-hunters:

Quote
"Microsoft's first ever bug bounty programme has resulted in payouts totalling $28,000 to security researchers who found flaws in the preview release of Internet Explorer 11.

Redmond offers a maximum reward of $11,000 to researchers who found security vulnerabilities in pre-release versions of IE 11 during the period of the bug bounty programme, which ran for a month from 26 June. In the event Microsoft paid out $28k to six researchers who collectively reported 15 different bugs.

An honours roll page credits James Forshaw of Context Security as the most prolific of these researchers: http://www.microsoft.com/security/msrc/report/acknowledgement.aspx#
Forshaw earned $9,400 for his efforts in discovering design level vulnerabilities and other security bugs in IE11.

Google engineers Ivan Fratric and Fermin J Serna received $1,100 and $500, respectively, for uncovering lesser flaws. Both these bounties were donated to charity.

Bug bounty programmes have become commonplace across the IT industry over recent years. The schemes motivate researchers to report flaws to vendors, rather than selling details of bugs to TippingPoint's Zero Day Initiative or hawking them through exploit brokers or vulnerability marketplaces: http://blog.bugcrowd.com/list-of-active-bug-bounty-programs
Google's bug bounties are the best known and most financially generous.

The IE 11 bug-hunting season has closed but Microsoft is still offering a rather more generous $100,000 for "truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview)": http://www.microsoft.com/security/msrc/report/bountyprograms.aspx#
And this can be topped up by a reward of up to $50,000 for ideas on how to defend against identified attacks."

(ElReg)

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising