Microsoft Hands Out $28k In IE11 Bug Bounty Program

hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."

It is just QA cost saving

[faragon]

So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

Re:It is just QA cost saving

You *should* post them online.

If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.

If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.