Microsoft Hands Out $28k In IE11 Bug Bounty Program

hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."

It is just QA cost saving

[faragon]

So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

Re:It is just QA cost saving

You *should* post them online.

If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.

If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.

Re:It is just QA cost saving

[Gavagai80]

It's a win-win, helps microsoft and helps the researchers. Nothing wrong with that. There's something to be said for getting people far removed from the project and company looking at it too, they'll catch things that Microsoft employees just never would because of different perspectives and processes and goals.

Re:It is just QA cost saving

[K.+S.+Kyosuke]

So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

Well, it's a free market, auction it to the highest bidder. :-)

Internet Explorer Trending UP

[tuppe666]

http://www.w3counter.com/trends
http://gs.statcounter.com/
http://marketshare.hitslink.com/browser-market-share.aspx?qprid=1&qpcustomb=0

There is an unexplained trend upwards in Internet Explorer

Re:Internet Explorer Trending UP

It really isn't that hard to explain, while the crowd here hate anything MS, ie10 and ie11 are pretty decent, especially when browsers like firefox have gone downhill and people are starting to distrust the big bad google even more with spybrowser chrome. What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.

And it's only for Internet Explorer and mitigation

[Myria]

They only were offering bounties for two particular things in Windows: Internet Explorer 11 and the new anti-exploit mitigations in Windows 8.1. Even though there are plenty of other security targets in Windows, only those two things would get you money.

I found a bug in Windows's Secure Boot code that I'm using to jailbreak Windows RT. I might as well; it's not like they pay bug bounties for Secure Boot exploits.

The exploit could be used to run Android on Surface RT with a kexec-like driver implementation, but this would be a huge amount of work for someone who doesn't know Linux internals.

Love is the Answer

[tuppe666]

...the crowd here hate anything MS...

If your answer includes "Microsoft is Hated" as a reason for anything you are right to not register here. Ignoring the fact that you sound like a sulky 16 year old girl. The mix here is far from being Linux and Apple centric. Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...but that would not stop them using IE. If it wants to be loved, producing decent products would be a good start.

The answer is unlikely to be a new version of IE (one over a year old and one unrealsed)..."better" is just another unmeasurable "meh" it does not cut it here, or anywhere. It is still vastly behind, platform centric option. If IE10 was any good (IE11 not yet released) it would have started making traction 13 months ago...not now.

Black is White

[tuppe666]

Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...

Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.

Except its not even remotely true. Google move from strength to strength, and Apple are immune to criticism. Microsoft is surrounded by failure both in its traditional "monopoly" market windows and its new markets "products and services". Ballmer got stabbed in the front by Bill "my charity is better than yours" Gates "I don't have to pay tax". Its Xbone launch was anti-gamer.

Want Proof....http://www.interbrand.com/en/best-global-brands/2013/Best-Global-Brands-2013.aspx Apple is considered the top brand...Google the top riser.(Microsoft did rise a smigin though ;)

Independent Measures

[tuppe666]

http://html5test.com/results/desktop.html
Chrome score 463
Firefox score 414
Internet Explorer 10 scores 320(Internet explorer 8 XP users trapped on scores 42)

http://www.tomshardware.com/reviews/chrome-27-firefox-21-opera-next,3534-12.html which benchmarks the various browsers extensively gives
Firefox score 326
Chrome score of 326
Internet Explorer 182