Microsoft Launches Windows Bug Bounty Program With Rewards Ranging From $500 To $250,000

Microsoft on Wednesday announced the Windows Bounty Program. Rewards start at a minimum of $500 and can go up to as high as $250,000. From a report: To be clear, Microsoft already offers many bug bounty programs. This is also not the first to target Windows features -- the company has launched many Windows-specific bounties for those starting in 2012. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company's program for testing Windows 10 preview builds. Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.

Okay Dokey

[fahrbot-bot]

I mailed in a Windows 10 Install DVD. When do I get my check for $250k?

Re:Okay Dokey

[bobbied]

Darn, you beat me to it... I used priority mail so maybe I get there first??

Re:Okay Dokey

[ma1wrbu5tr]

I wonder if this covers legacy OSes. I have Windows ME and Vista disks laying around here somewhere.

Re:Okay Dokey

I want to know when Microsoft will start paying salaries to everyone running Windows 10 for all of the beta testing, advertising data and user data that those users provide.

Bug: Runs LUDDITE software.

Solution: Install appy Appdows 10 S instead of LUDDITE Windows 10!

I expect my reward of 250,000 apps to be apped as soon as appable!

Apps!

Re:Bug: Runs LUDDITE software.

Solution: Install appy Appdows 10 S instead of LUDDITE Windows 10!

I expect my reward of 250,000 apps to be apped as soon as appable!

Apps!

Your McMuffin jokes were better than your appy app jokes. (assuming same person).

Re: Bug: Runs LUDDITE software.

This is letting Microsoft take the iniative and be on control here. It would be better to let Microsoft and others participate in an auction with other darknet buyers over every exploit. Then when the price goes up to $20 million for what they thought they could get away with $500, and they dont bid, the fallout from that can be turned into loss of reputation and public outrage. EIither way Microsoft loses and is not in control of the process.

Bugfix...

Windows is flawed, Install Linux. Where's my money?

Hunky Dory

I mailed in my Windows 95 Install Floppy Disks. When do I get my check for $500k?

On an unrelated note, I voted for Hillary Clinton, because I knew Trump was a dud, like the nuclear bomb that Reagan dropped on Moscow. It's the biggest joke in the intelligence community! Trump is the nuclear dud! LOL!

Re:Hunky Dory

Good one, Hillary. Really. Now take some time off.

Don't get excited

[citylivin]

I thought I would be newly rich as my technet / microsoft forums account only exists to file all the monthly bugs i find in windows. But then i read its only certain types of bugs that are eligible:

"Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customerâ(TM)s privacy and security will receive a bounty"

oh well! I continue to do QA for free then i guess.

Re:Don't get excited

[mysidia]

Also, Microsoft has historically quite the reputation of downplaying discovered bugs with security impact or reclassifying as lower impact, Until an actual exploit is publicized that defeats all mitigations.

Doubt the bounty will help matters. Merely discovering a bug is not enough --- you're going to need to build the exploit to.

Once you have a RCE exploit, you could PROBABLY make a lot more than $250k selling that to the CIA, etc.

Re:Don't get excited

But Windows is safe and makes you feel all warm and fuzzy inside!

Re:Don't get excited

[mysidia]

But Windows is safe

“Will you walk into my parlour?” said the Spider to the Fly,

  'Tis the prettiest little parlour that ever you did spy;

    The way into my parlour is up a winding stair,

      And I've a many curious things to show when you are there.”

They can't be serious!

What's MS supposed to do when you stumble across an NSA sponsored "feature"? Or is this to make sure intentional vulnerabilities aren't too obvious?

Re:They can't be serious!

Patch it but remember that you left another "feature" elsewhere.

Re:They can't be serious!

[cavreader]

I would expect a gigantic reward to be issued since to date there has been no government intelligence agency related "feature" ever discovered in any MS software. Are there bugs that create exploits? Sure. Just like every piece of software ever written. Do the government intelligence agencies keep an arsenal of possible 0-day exploits? Sure. This would fall squarely under their job description. A job description that includes words like "covert" and "clandestine". After all the US is not the only country that uses MS software.

Re:They can't be serious!

[bobbied]

What's MS supposed to do when you stumble across an NSA sponsored "feature"? Or is this to make sure intentional vulnerabilities aren't too obvious?

They will deny it is a vulnerability and refuse to pay... After all, it's a "feature" and they already knew about it.

Re:They can't be serious!

[fisted]

If a vulnerability is found, how do you know who's ultimately responsible for it?

Yeah, didn't think so. So "there has been no government intelligence agency related "feature" ever discovered" is completely meaningless.

Re:They can't be serious!

"Boy, what is it with you people? You think not getting caught in a lie is the same thing as telling the truth?"

Re: They can't be serious!

[F.Ultra]

If we assume that NSA has such leverage over MS then that is propably a whole different section than the one doing this bounty program, remember that MS is a huge corporation.

Re:They can't be serious!

Do you have any proof that a government intelligence agency in cooperation with the software vendors have created purpose built exploitable security flaws? No. Didn't think so. And please I am still waiting for someone to discover and publish these purported "back doors" that supposedly exist in every version of Windows since 1990.

The real irony when it comes to creating exploits is that it is much easier to do with open source than it is for closed source. Open Source: If you wanted to rob a bank it would be much easier if you have the building blueprints, computer network details, operating procedures, and all of the security system details before you attempt to rob the bank. Closed Source: You know the banks location, operating hours, and the general layout out of the bank lobby. The robbery could be successful at both banks but having every single piece of information on your target raises the chances of success.

Re:They can't be serious!

[fisted]

Do you have any proof that a government intelligence agency in cooperation with the software vendors have created purpose built exploitable security flaws?

No. Can this be proven? No, it's trivially plausibly deniable. Please learn basic reasoning and logic.

My point stands, your inital assertion is meaningless.

The real irony [blah blah]

So what does that have to do with anything?

Re:They can't be serious!

"No. Can this be proven? No, it's trivially plausibly deniable. Please learn basic reasoning and logic."
Your intelligence level seems to fall into the "trivially plausibly deniable" category. The question still remains. Can you support your accusations with any facts? Is this your idea of being "reasonable and logical"? Or are you just an ignorant cheerleader looking to spread your gospel far and wide because you know without a doubt that you are 100% right and everyone else is wrong? You are also saying that because the government denies these particular accusations that is proof that they have created exploits? Really?? What are you 10 years old?
If you say their are government created exploits in the software used today you really need some evidence. Or are we just supposed to take your word that the exploits exists.

Re:They can't be serious!

[fisted]

Your intelligence level [...]

Oh the irony.

your accusations

What exactly are "my accusations", my special friend? What I've done is pointing out that "there has been no government intelligence agency related "feature" ever discovered" is a meaningless statement. That is not remotely the same as me claiming there are in fact such backdoors; the difference is that I don't assume there aren't any, while you do, based on your meaningless statement. I'm repeating myself, but please get familiar with basic reasoning and logic.

Edge

[sproketboy]

> Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.

Yeah but then I'd have to use Microsoft Edge.

Re:Edge

I've literally had a Microsoft IT paid business tech support guy tell me not to use Edge because it doesn't support everything yet.

Both Dynamics CRM, as well as 3rd party plugins like Adobe Reader. So PDF support is basic shit and doesn't include text streams (read: filled in text) so it's USELESS FOR BUSINESSES trying to send quotes to each other.

Re:Edge

[bobbied]

Yea, but it's FASTER (according to M$'s PR campaign that comes up when you start Edge)... Well SURE it's faster, it doesn't support anything that would slow it down.

The Microsoft way: End user as QA Team

They don't have to hire QA people, just release buggy software and pay people to find bugs.

And whoever finds a bug in the Edge browser

[hcs_$reboot]

gets a 10 cents reward.

Windows 10 is riddled with spyware!!!

http://www.networkworld.com/article/2956574/microsoft-subnet/windows-10-privacy-spyware-settings-user-agreement.html http://bgr.com/2015/07/31/windows-10-upgrade-spying-how-to-opt-out/ https://www.reddit.com/r/privacy/comments/5oygjc/you_still_cant_turn_off_windows_10s_builtin/

Where's my bounty, Microsoft?

PS I'd love to know the name of the turds in Microsoft who decided to take Windows down this path. Whoever you are, fuck you!

Making it rain

If they actually keep their word and payout everyone that finds a bug, they'll go bankrupt.

File Explorer can't handle Long File Paths

Windows File Explorer STILL, after DECADES, cannot handle Long File Paths that it ITSELF creates.

Even after Microsoft added a flag to allow users to let apps handle Long File Paths !

No charge for that one, Microsoft, JUST BLOODY FIX IT !