Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Hands Out $28k In IE11 Bug Bounty Program

Posted by Unknown on from the freedom-not-included dept.

hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."

57 comments

  1. It is just QA cost saving by faragon · · Score: 5, Insightful

    So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

    1. Re:It is just QA cost saving by Anonymous Coward · · Score: 1

      This -> "miserable". What they pay out for a bug is not even a weeks salary for the marketing guys. Why help a "megacorp" when the reward is a pittance? If I thought it was worth it documenting all the bugs I find in MS products (and there are a few a week; and I am NOT a security researcher. Its just shit I stumble upon.) I would just post them online, screw the money.

    2. Re:It is just QA cost saving by Anonymous Coward · · Score: 1

      I'm guessing at least some of those would be otherwise doing this for free, now they get both recognition and some money. Depending on how long it took to make their findings it might not even be a miserable amount (then again, it might).

    3. Re:It is just QA cost saving by Anonymous Coward · · Score: 5, Insightful

      You *should* post them online.

      If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.

      If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.

    4. Re:It is just QA cost saving by Gavagai80 · · Score: 2

      It's a win-win, helps microsoft and helps the researchers. Nothing wrong with that. There's something to be said for getting people far removed from the project and company looking at it too, they'll catch things that Microsoft employees just never would because of different perspectives and processes and goals.

      --
      This space intentionally left blank
    5. Re:It is just QA cost saving by K.+S.+Kyosuke · · Score: 2

      So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

      Well, it's a free market, auction it to the highest bidder. :-)

      --
      Ezekiel 23:20
    6. Re:It is just QA cost saving by HockeyPuck · · Score: 1

      Is it miserable to the researchers? Whether they got $9400 or $500, surely they don't mind the cash. If you want MSFT to pay you $100,000 to find bugs, then apply for a QA position at MSFT and negotiate a $100k salary.

      If I had the skills of a security researcher, I'd look at this as a way to make a few easy bucks.

    7. Re:It is just QA cost saving by Anonymous Coward · · Score: 1

      Agree, its f*cking cheap and typical MS (cut corners in all the wrong places, always), why not adopt properly documented reward system like Google? http://www.google.co.uk/about/appsecurity/reward-program/

    8. Re:It is just QA cost saving by Nerdfest · · Score: 1

      It's also a win for all of those people who are stuck with Windows (or at least think they are). It's staill too dangerous to browse the web without protection in Windows.

    9. Re:It is just QA cost saving by Anonymous Coward · · Score: 0

      Not really, its a win-shitwin, researchers would be morally and financially better off selling it on the black market.

      The prices are much better and you aren't part of the chain that sends drones off to kill people. (worst case i guess is identity fraud but people are insured here. Even if you have life insurance, it's not gonna bring you back to life after a drone strike)

    10. Re:It is just QA cost saving by synapse7 · · Score: 1

      The problem with this is spammers may offer more than what MS is offering.

    11. Re:It is just QA cost saving by ruir · · Score: 1

      So you are saying Microsoft needs an exploit and that they would be able to program any backdoor they wanted. Does it even makes sense?

    12. Re:It is just QA cost saving by __aaltlg1547 · · Score: 1

      They're doing their software testing on the cheap, having users find the defects in their code for an amount of money that's not worth the time of software professionals. That sucks, but it's better than what they and everybody else used to do: release shamefully buggy software as a public beta test (whether or not they called it that) and expect users to report bugs for no compensation at all.

      But look at it this way:

      So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

      If IE11 has the expected number of bugs, they will still spend almost as much on testing as they did on development.

    13. Re: It is just QA cost saving by Anonymous Coward · · Score: 0

      But, I'm sure you think it's 'innovative' and 'forward thinking' when Google does the exact same thing.

      Not that if expect anything less from anyone posting on this site.

    14. Re: It is just QA cost saving by tom229 · · Score: 1

      My thoughts exactly. The entire bug bounty they paid for one of their flagship products is a fraction what my small business spends on Microsoft licencing per year. If I was any of the above people I'd just sell my findings to the malware companies.

      --
      If it ain't broke, don't fix it.
    15. Re:It is just QA cost saving by Anonymous Coward · · Score: 0

      It just means that they don't want to pay for more than 2 days work in finding their bugs, provided that the people finding them are just out of the university, and have only basic skills. For a real developer it's probably closer to one day, maybe less. Guess they aren't all that serious about actually finding/fixing anything but the most obvious bugs.

    16. Re:It is just QA cost saving by lipanitech · · Score: 1

      First time they have ever done this just shows I think all companies are going to have to start offering this unless they want there exploits sold on the black market. If java offered that much a bug they would have less problems.

      --
      http://thetechnologygeek.org/
  2. Internet Explorer Trending UP by tuppe666 · · Score: 2

    http://www.w3counter.com/trends
    http://gs.statcounter.com/
    http://marketshare.hitslink.com/browser-market-share.aspx?qprid=1&qpcustomb=0

    There is an unexplained trend upwards in Internet Explorer

    1. Re:Internet Explorer Trending UP by Anonymous Coward · · Score: 2, Interesting

      It really isn't that hard to explain, while the crowd here hate anything MS, ie10 and ie11 are pretty decent, especially when browsers like firefox have gone downhill and people are starting to distrust the big bad google even more with spybrowser chrome. What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.

    2. Re:Internet Explorer Trending UP by qaz123 · · Score: 1

      Font rendering in IE11 on Windows 8 is poor. I'd like to use IE but because of this I can't

    3. Re:Internet Explorer Trending UP by Anonymous Coward · · Score: 0

      firefox has gone to shit ever since versions 20 and beyond.
      i really thought 24 was a winner but it's back to running like shit again.

      quad core i7, 16 gigs of ram, high end nvidia video card, 100mbps internet and can't even watch a fucking youtube video.

      chrome and ie for the win.

    4. Re:Internet Explorer Trending UP by Anonymous Coward · · Score: 0

      What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.

      Well, it's too late now. Nobody needs Chrome with a different theme.

      Which is a shame, Presto was really nice.

    5. Re:Internet Explorer Trending UP by cdrnet · · Score: 1

      It can't possibly be worse than Chrome which has dreadful font rendering on Windows.

    6. Re:Internet Explorer Trending UP by cdrnet · · Score: 1

      Correction: dreadful *Web*-font rendering. Normal system fonts are quite ok.

    7. Re:Internet Explorer Trending UP by Lennie · · Score: 1

      No, new Windows installations only come with one browser.

      If the browser works good enough, people don't install an other browser.

      That is what is going on.

      --
      New things are always on the horizon
    8. Re:Internet Explorer Trending UP by Anonymous Coward · · Score: 0

      If you have ever used Opera, you know why it has never caught on.

  3. And NSA pays them how much for 0-day? by Anonymous Coward · · Score: 0

    And they receive how much money from the NSA for providing them with details of zero-day exploits?

    Are they still providing NSA with zero day exploits BTW? I assume the answer is yes.

    1. Re:And NSA pays them how much for 0-day? by Myria · · Score: 1

      And they receive how much money from the NSA for providing them with details of zero-day exploits?

      Are they still providing NSA with zero day exploits BTW? I assume the answer is yes.

      It's more likely that the NSA pays VUPEN rather than Microsoft. Paying Microsoft directly would have blowback.

      --
      "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  4. And it's only for Internet Explorer and mitigation by Myria · · Score: 2

    They only were offering bounties for two particular things in Windows: Internet Explorer 11 and the new anti-exploit mitigations in Windows 8.1. Even though there are plenty of other security targets in Windows, only those two things would get you money.

    I found a bug in Windows's Secure Boot code that I'm using to jailbreak Windows RT. I might as well; it's not like they pay bug bounties for Secure Boot exploits.

    The exploit could be used to run Android on Surface RT with a kexec-like driver implementation, but this would be a huge amount of work for someone who doesn't know Linux internals.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  5. prying money from their cold dead hands by ebonum · · Score: 1

    Microsoft:
    3 months ending 2013-06-30:
    Revenue: 19.896 Billion USD
    Cost of goods/revenue sold: 5.602 Billion USD
    Gross Profit: 14.294 Billion USD
    Source:
    https://www.google.com/finance?q=NASDAQ:MSFT&fstype=ii&ei=wcBTUtihB8z2qQHI8AE

    Out of their costs of goods sold, these researchers got 0.00049982%.
    Me thinks their contribution to M$ is more than a few 10,000ths of 1%. They did what the 5.6 billion spent on internal people failed to do. And M$ doesn't have to pay their healthcare.

    The cost of the meeting (hourly pay, room, overhead, etc.) for a bunch of execs at Microsoft to figure out how little to give these guys most likely cost more than 28,000 USD.

    One can't help but to note that they gave the Google employees just enough to pay for dinner in downtown Palo Alto.

  6. Love is the Answer by tuppe666 · · Score: 2, Insightful

    ...the crowd here hate anything MS...

    If your answer includes "Microsoft is Hated" as a reason for anything you are right to not register here. Ignoring the fact that you sound like a sulky 16 year old girl. The mix here is far from being Linux and Apple centric. Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...but that would not stop them using IE. If it wants to be loved, producing decent products would be a good start.

    The answer is unlikely to be a new version of IE (one over a year old and one unrealsed)..."better" is just another unmeasurable "meh" it does not cut it here, or anywhere. It is still vastly behind, platform centric option. If IE10 was any good (IE11 not yet released) it would have started making traction 13 months ago...not now.

    1. Re:Love is the Answer by Anonymous Coward · · Score: 0

      You just proved his/her point.

      On a side note, some users may switch to new browser versions on day one, but companies don't. So expecting trends to visibly change around the release date of a browser is naive at best.

    2. Re:Love is the Answer by Anonymous Coward · · Score: 0

      Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...

      Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.

      There are plenty of good reasons right now to hate either of them just as much as MS. The only difference is that historically MS has been hated for longer.

      The only real issue is here trust. If you have an issue with that, I suggest you use Firefox. Otherwise, IE10/11 is as good a browser as any other.

    3. Re:Love is the Answer by Anonymous Coward · · Score: 0

      Sir. You're interrupting the anti-MS circle jerk. Move along.

    4. Re:Love is the Answer by Anonymous Coward · · Score: 0

      I can't even understand what you're saying. Is English not your first language?

  7. Depends on the amount by Anonymous Coward · · Score: 1

    It's unlikely to be cash, but gee, contracts. Big fat NSA surveillance equipment contracts. I can well believe those are the reward for the 0-day exploits.

    I'm reminded of QWEST CEO, the only telco to resists the NSA illegal demands... and was prosecuted for insider trading and suspects it was reprisal.
    https://www.techdirt.com/articles/20130927/14413024680/one-telco-exec-who-resisted-nsa-has-been-released-4-years-jail.shtml

    However, one of the things he mentions is that as soon as he resisted the NSA's demands, a big NSA contract with QWEST was cancelled (as presumed punishment).

    So it's not pocket change they're playing for here, it will be millions/ potentially billions of Microsoft revenue at stake for not playing along with NSA's power grab.

  8. cheap skates by Anonymous Coward · · Score: 0

    They would get a lot more on the black market. M$ should pay more.

  9. Why do I bother by tuppe666 · · Score: 1

    trends to visibly change around the release date of a browser is naive at best.

    That is not what I said. My point is that if a better(sic) browser was the reason for the years of Internet Explorer market decrease ironically despite vastly better browsers on the market, but it to happen it happen thirteen months after launch is inconceivable...people do not suddenly start getting old products without some catalyst for change, as even you claim the launch of the new version wasn't one(You go further claiming it couldn't be)

    The bottom line is the catalyst for change is somewhere else. I suspect that Internet Explorer sudden change of fortune, is a side effect of another change.

    1. Re:Why do I bother by Anonymous Coward · · Score: 0

      I can't explain the trends either. But anyway, as a web developper (UI and usability asides, focusing on standards support and performance), IE is no longer bad. It even surpasses other browsers on certain things. It clearly leads when it comes to GPU acceleration, for example. I'm working on a canvas-based JavaScript game, and IE runs it the fastest on Windows. Same thing on Windows Phone. You could argue that's because they run on a Microsoft OS, but before IE9, other browsers were always clearly faster than IE on MS OSes.

    2. Re:Why do I bother by Anonymous Coward · · Score: 0

      You go, girl!

  10. Firefox off topic. by tuppe666 · · Score: 1

    can't even watch a fucking youtube video...chrome and ie for the win.

    Ironically changes come at the expense of Chrome. Ignoring the fact that most users manage quite nicely to play videos on youtube, and it is unlikely that Google would not ensure that Firefox works well with youtube. Youtube has a HTML5 trial http://www.youtube.com/html5 , and it works great. In other news the firefox team is working towards a Flash replacement "Shumway" http://www.areweflashyet.com/shumway/

    It looks like youtube is a reason for using Firefox not against, As for your hardware flash is fast enough to run on anything but an iPhone ;)

    1. Re:Firefox off topic. by Anonymous Coward · · Score: 0

      GP is probably one of those spergoids that never reboots and has 200 tabs open.. Welcome to reference leak country.

  11. Black is White by tuppe666 · · Score: 3, Insightful

    Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...

    Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.

    Except its not even remotely true. Google move from strength to strength, and Apple are immune to criticism. Microsoft is surrounded by failure both in its traditional "monopoly" market windows and its new markets "products and services". Ballmer got stabbed in the front by Bill "my charity is better than yours" Gates "I don't have to pay tax". Its Xbone launch was anti-gamer.

    Want Proof....http://www.interbrand.com/en/best-global-brands/2013/Best-Global-Brands-2013.aspx Apple is considered the top brand...Google the top riser.(Microsoft did rise a smigin though ;)

  12. Propeganda by tuppe666 · · Score: 1

    observed Linux zealots and so-called "advocates" lying, spreading FUD

    http://en.wikipedia.org/wiki/Criticism_of_Microsoft list of criticisms, heavily documented.

  13. The bloody industry is crap by Imaman · · Score: 1

    That's what you get when management shit-for-brains get to decide what buzzwords are relevant in a job application. Framework familiarity > actual skills. Coincidentally the reason I left teh biz.

  14. Independent Measures by tuppe666 · · Score: 2

    http://html5test.com/results/desktop.html
    Chrome score 463
    Firefox score 414
    Internet Explorer 10 scores 320(Internet explorer 8 XP users trapped on scores 42)

    http://www.tomshardware.com/reviews/chrome-27-firefox-21-opera-next,3534-12.html which benchmarks the various browsers extensively gives
    Firefox score 326
    Chrome score of 326
    Internet Explorer 182

    1. Re:Independent Measures by __aaqvdr516 · · Score: 1

      Those numbers are nice and all but I just ran a tool that checks whether or not my browsers are Internet Explorer.

      The only browser that passed the Internet Explorer test was Internet Explorer 10.

      I also tested Pale Moon and Comodo Dragon and they both got 0% on the "Is my browser Internet Explorer" test.

    2. Re:Independent Measures by Crudely_Indecent · · Score: 1

      You really need to work on your delivery.

      And the "Is my browser Internet Explorer" test replied:
      Internet Explorer - but I hardly know 'er

      --


      "Lame" - Galaxar
  15. IE11 is a great browser... by Anonymous Coward · · Score: 0

    ...for downloading Mozilla Firefox.

  16. To be fair by SmallFurryCreature · · Score: 1

    That is a LOT of bug detectors who got 1 dollar from MS.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

    1. Re:To be fair by Anonymous Coward · · Score: 0

      Yes, it seems to be the new positive spin on X vulnerabilities spotted in IE11

  17. For 28k... by Anonymous Coward · · Score: 0

    I would've told them not to bother with the Surface 2, most cost-efficient consulting ever!

  18. Cheaper than hiring a security professional by Anonymous Coward · · Score: 0

    Why hire a professional and pay a professional salary when they can get people to work for peanuts? Forget about a career.

  19. My experience with IE10 by Anonymous Coward · · Score: 0

    Believe it or not, it's mostly positive. It has adblocking capability built in (tracking protection filters, though you have to download the lists from EasyList or Fanboy). It's... well, it's not as snappy as some of the more recent browsers, but it's not slow. It seems to render things correctly.

    I do have one big complaint, though. They got rid of the upper right search box. I thought maybe they combined it into the URL bar, but I've been using it for several months and, if they did, I sure as heck can't figure out how to search from there. Maybe I disabled it by accident, but I certainly don't remember doing anything of the sort. I actually had to download and install Bing bar to get a freaking search box that I can readily use. That's crazy and there's no reason for it. The old design with the search box in the upper right worked just fine. Ugh.

  20. IE is up to 11 now? I left at 6. by MXB2001 · · Score: 0

    Drat. And to think I could be making _big_ money if I only had kept up to date with my Operating System and it's preferred browser...

    --
    01/01/01