Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Hands Out $28k In IE11 Bug Bounty Program

Posted by Unknown on from the freedom-not-included dept.

hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."

34 of 57 comments (clear)

  1. It is just QA cost saving by faragon · · Score: 5, Insightful

    So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

    1. Re:It is just QA cost saving by Anonymous Coward · · Score: 1

      This -> "miserable". What they pay out for a bug is not even a weeks salary for the marketing guys. Why help a "megacorp" when the reward is a pittance? If I thought it was worth it documenting all the bugs I find in MS products (and there are a few a week; and I am NOT a security researcher. Its just shit I stumble upon.) I would just post them online, screw the money.

    2. Re:It is just QA cost saving by Anonymous Coward · · Score: 1

      I'm guessing at least some of those would be otherwise doing this for free, now they get both recognition and some money. Depending on how long it took to make their findings it might not even be a miserable amount (then again, it might).

    3. Re:It is just QA cost saving by Anonymous Coward · · Score: 5, Insightful

      You *should* post them online.

      If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.

      If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.

    4. Re:It is just QA cost saving by Gavagai80 · · Score: 2

      It's a win-win, helps microsoft and helps the researchers. Nothing wrong with that. There's something to be said for getting people far removed from the project and company looking at it too, they'll catch things that Microsoft employees just never would because of different perspectives and processes and goals.

      --
      This space intentionally left blank
    5. Re:It is just QA cost saving by K.+S.+Kyosuke · · Score: 2

      So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

      Well, it's a free market, auction it to the highest bidder. :-)

      --
      Ezekiel 23:20
    6. Re:It is just QA cost saving by HockeyPuck · · Score: 1

      Is it miserable to the researchers? Whether they got $9400 or $500, surely they don't mind the cash. If you want MSFT to pay you $100,000 to find bugs, then apply for a QA position at MSFT and negotiate a $100k salary.

      If I had the skills of a security researcher, I'd look at this as a way to make a few easy bucks.

    7. Re:It is just QA cost saving by Anonymous Coward · · Score: 1

      Agree, its f*cking cheap and typical MS (cut corners in all the wrong places, always), why not adopt properly documented reward system like Google? http://www.google.co.uk/about/appsecurity/reward-program/

    8. Re:It is just QA cost saving by Nerdfest · · Score: 1

      It's also a win for all of those people who are stuck with Windows (or at least think they are). It's staill too dangerous to browse the web without protection in Windows.

    9. Re:It is just QA cost saving by synapse7 · · Score: 1

      The problem with this is spammers may offer more than what MS is offering.

    10. Re:It is just QA cost saving by ruir · · Score: 1

      So you are saying Microsoft needs an exploit and that they would be able to program any backdoor they wanted. Does it even makes sense?

    11. Re:It is just QA cost saving by __aaltlg1547 · · Score: 1

      They're doing their software testing on the cheap, having users find the defects in their code for an amount of money that's not worth the time of software professionals. That sucks, but it's better than what they and everybody else used to do: release shamefully buggy software as a public beta test (whether or not they called it that) and expect users to report bugs for no compensation at all.

      But look at it this way:

      So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

      If IE11 has the expected number of bugs, they will still spend almost as much on testing as they did on development.

    12. Re: It is just QA cost saving by tom229 · · Score: 1

      My thoughts exactly. The entire bug bounty they paid for one of their flagship products is a fraction what my small business spends on Microsoft licencing per year. If I was any of the above people I'd just sell my findings to the malware companies.

      --
      If it ain't broke, don't fix it.
    13. Re:It is just QA cost saving by lipanitech · · Score: 1

      First time they have ever done this just shows I think all companies are going to have to start offering this unless they want there exploits sold on the black market. If java offered that much a bug they would have less problems.

      --
      http://thetechnologygeek.org/
  2. Internet Explorer Trending UP by tuppe666 · · Score: 2

    http://www.w3counter.com/trends
    http://gs.statcounter.com/
    http://marketshare.hitslink.com/browser-market-share.aspx?qprid=1&qpcustomb=0

    There is an unexplained trend upwards in Internet Explorer

    1. Re:Internet Explorer Trending UP by Anonymous Coward · · Score: 2, Interesting

      It really isn't that hard to explain, while the crowd here hate anything MS, ie10 and ie11 are pretty decent, especially when browsers like firefox have gone downhill and people are starting to distrust the big bad google even more with spybrowser chrome. What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.

    2. Re:Internet Explorer Trending UP by qaz123 · · Score: 1

      Font rendering in IE11 on Windows 8 is poor. I'd like to use IE but because of this I can't

    3. Re:Internet Explorer Trending UP by cdrnet · · Score: 1

      It can't possibly be worse than Chrome which has dreadful font rendering on Windows.

    4. Re:Internet Explorer Trending UP by cdrnet · · Score: 1

      Correction: dreadful *Web*-font rendering. Normal system fonts are quite ok.

    5. Re:Internet Explorer Trending UP by Lennie · · Score: 1

      No, new Windows installations only come with one browser.

      If the browser works good enough, people don't install an other browser.

      That is what is going on.

      --
      New things are always on the horizon
  3. And it's only for Internet Explorer and mitigation by Myria · · Score: 2

    They only were offering bounties for two particular things in Windows: Internet Explorer 11 and the new anti-exploit mitigations in Windows 8.1. Even though there are plenty of other security targets in Windows, only those two things would get you money.

    I found a bug in Windows's Secure Boot code that I'm using to jailbreak Windows RT. I might as well; it's not like they pay bug bounties for Secure Boot exploits.

    The exploit could be used to run Android on Surface RT with a kexec-like driver implementation, but this would be a huge amount of work for someone who doesn't know Linux internals.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  4. Re:And NSA pays them how much for 0-day? by Myria · · Score: 1

    And they receive how much money from the NSA for providing them with details of zero-day exploits?

    Are they still providing NSA with zero day exploits BTW? I assume the answer is yes.

    It's more likely that the NSA pays VUPEN rather than Microsoft. Paying Microsoft directly would have blowback.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  5. prying money from their cold dead hands by ebonum · · Score: 1

    Microsoft:
    3 months ending 2013-06-30:
    Revenue: 19.896 Billion USD
    Cost of goods/revenue sold: 5.602 Billion USD
    Gross Profit: 14.294 Billion USD
    Source:
    https://www.google.com/finance?q=NASDAQ:MSFT&fstype=ii&ei=wcBTUtihB8z2qQHI8AE

    Out of their costs of goods sold, these researchers got 0.00049982%.
    Me thinks their contribution to M$ is more than a few 10,000ths of 1%. They did what the 5.6 billion spent on internal people failed to do. And M$ doesn't have to pay their healthcare.

    The cost of the meeting (hourly pay, room, overhead, etc.) for a bunch of execs at Microsoft to figure out how little to give these guys most likely cost more than 28,000 USD.

    One can't help but to note that they gave the Google employees just enough to pay for dinner in downtown Palo Alto.

  6. Love is the Answer by tuppe666 · · Score: 2, Insightful

    ...the crowd here hate anything MS...

    If your answer includes "Microsoft is Hated" as a reason for anything you are right to not register here. Ignoring the fact that you sound like a sulky 16 year old girl. The mix here is far from being Linux and Apple centric. Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...but that would not stop them using IE. If it wants to be loved, producing decent products would be a good start.

    The answer is unlikely to be a new version of IE (one over a year old and one unrealsed)..."better" is just another unmeasurable "meh" it does not cut it here, or anywhere. It is still vastly behind, platform centric option. If IE10 was any good (IE11 not yet released) it would have started making traction 13 months ago...not now.

  7. Depends on the amount by Anonymous Coward · · Score: 1

    It's unlikely to be cash, but gee, contracts. Big fat NSA surveillance equipment contracts. I can well believe those are the reward for the 0-day exploits.

    I'm reminded of QWEST CEO, the only telco to resists the NSA illegal demands... and was prosecuted for insider trading and suspects it was reprisal.
    https://www.techdirt.com/articles/20130927/14413024680/one-telco-exec-who-resisted-nsa-has-been-released-4-years-jail.shtml

    However, one of the things he mentions is that as soon as he resisted the NSA's demands, a big NSA contract with QWEST was cancelled (as presumed punishment).

    So it's not pocket change they're playing for here, it will be millions/ potentially billions of Microsoft revenue at stake for not playing along with NSA's power grab.

  8. Why do I bother by tuppe666 · · Score: 1

    trends to visibly change around the release date of a browser is naive at best.

    That is not what I said. My point is that if a better(sic) browser was the reason for the years of Internet Explorer market decrease ironically despite vastly better browsers on the market, but it to happen it happen thirteen months after launch is inconceivable...people do not suddenly start getting old products without some catalyst for change, as even you claim the launch of the new version wasn't one(You go further claiming it couldn't be)

    The bottom line is the catalyst for change is somewhere else. I suspect that Internet Explorer sudden change of fortune, is a side effect of another change.

  9. Firefox off topic. by tuppe666 · · Score: 1

    can't even watch a fucking youtube video...chrome and ie for the win.

    Ironically changes come at the expense of Chrome. Ignoring the fact that most users manage quite nicely to play videos on youtube, and it is unlikely that Google would not ensure that Firefox works well with youtube. Youtube has a HTML5 trial http://www.youtube.com/html5 , and it works great. In other news the firefox team is working towards a Flash replacement "Shumway" http://www.areweflashyet.com/shumway/

    It looks like youtube is a reason for using Firefox not against, As for your hardware flash is fast enough to run on anything but an iPhone ;)

  10. Black is White by tuppe666 · · Score: 3, Insightful

    Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...

    Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.

    Except its not even remotely true. Google move from strength to strength, and Apple are immune to criticism. Microsoft is surrounded by failure both in its traditional "monopoly" market windows and its new markets "products and services". Ballmer got stabbed in the front by Bill "my charity is better than yours" Gates "I don't have to pay tax". Its Xbone launch was anti-gamer.

    Want Proof....http://www.interbrand.com/en/best-global-brands/2013/Best-Global-Brands-2013.aspx Apple is considered the top brand...Google the top riser.(Microsoft did rise a smigin though ;)

  11. Propeganda by tuppe666 · · Score: 1

    observed Linux zealots and so-called "advocates" lying, spreading FUD

    http://en.wikipedia.org/wiki/Criticism_of_Microsoft list of criticisms, heavily documented.

  12. The bloody industry is crap by Imaman · · Score: 1

    That's what you get when management shit-for-brains get to decide what buzzwords are relevant in a job application. Framework familiarity > actual skills. Coincidentally the reason I left teh biz.

  13. Independent Measures by tuppe666 · · Score: 2

    http://html5test.com/results/desktop.html
    Chrome score 463
    Firefox score 414
    Internet Explorer 10 scores 320(Internet explorer 8 XP users trapped on scores 42)

    http://www.tomshardware.com/reviews/chrome-27-firefox-21-opera-next,3534-12.html which benchmarks the various browsers extensively gives
    Firefox score 326
    Chrome score of 326
    Internet Explorer 182

    1. Re:Independent Measures by __aaqvdr516 · · Score: 1

      Those numbers are nice and all but I just ran a tool that checks whether or not my browsers are Internet Explorer.

      The only browser that passed the Internet Explorer test was Internet Explorer 10.

      I also tested Pale Moon and Comodo Dragon and they both got 0% on the "Is my browser Internet Explorer" test.

    2. Re:Independent Measures by Crudely_Indecent · · Score: 1

      You really need to work on your delivery.

      And the "Is my browser Internet Explorer" test replied:
      Internet Explorer - but I hardly know 'er

      --


      "Lame" - Galaxar
  14. To be fair by SmallFurryCreature · · Score: 1

    That is a LOT of bug detectors who got 1 dollar from MS.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.