Microsoft to pay cash for vulnerability reports

Following the example of other vendors such as Google and Mozilla, Microsoft this morning announced three security bounty programmes starting next week, with cash offered to those who discover and report vulnerabilities and exploitation techniques.

Under the Mitigation Bypass Bounty programme, a "truly novel exploitation" technique that can be used to bypass protections in Windows 8.1 preview could earn those that report it up to US$100,000.

Microsoft said learning about new exploitation techniques helped the company improve security by leaps, instead of capturing one vulnerability at a time.

The BlueHat Bonus for Defence programme pays up to US$50,000 for ideas on defensive technologies to protect computer systems, and Microsoft has also set up a thirty-day bug bounty programme for the new Internet Explorer 11 preview, ending July 26 this year.

While the Internet Explorer 11 preview programme offers between US$500 to US$11,000 for vulnerabilities, Microsoft said it "reserves the right" to pay more than that, depending on the entry quality and complexity.

Although the programmes are primarily aimed at Windows 8.1, Microsoft said it would gladly accept reports about vulnerabilities for previous versions of Windows.

Bug bounty hunters must be 14 years or older, and minors need parents or legal guardians' permission to take part in the programmes.

Microsoft employees are not eligible to take part in the programmes, nor are residents of countries under United States sanctions such as Cuba, Iran, North Korea, Sudan and Syria.