Microsoft has announced that it will pay up to $100,000 to researchers who present the company with previously unknown security flaws.
Redmond said that its bounty system would be divided into three operations, which will also address defense techniques and browser exploits. The three campaigns will offer rewards of $100,000, $50,000 and $11,000.
The most lucrative category will be in the disclosure of zero-day flaws and attack techniques in Windows. The six-figure reward will be offered to researchers who can present critical vulnerabilities in the latest patched version of Windows.
The company will offer $50,000 to researchers who can bring the company techniques for mitigating attacks on critical security vulnerabilities. Both programmes will be ongoing efforts for the company.
A third programme will run for a limited time and will ask researchers to bring forward flaws in the latest version of Windows. That contest will run from 26 June to 26 July and will carry a $11,000 payout.
They will also help to fill gaps in the current marketplace and enhance our relationships within this invaluable community, Microsoft security response center general manager Mike Reavey said of the programmes. All while making our products more secure for our customers.
The move represents an about face for a Microsoft group that was once an outspoken opponent of paying researchers for bug reports. In 2007 the firm said that bounty programmes were not healthy for the security community.
Once controversial, vulnerability payment programmes have become established as an effective way to connect security researchers with vendors and reduce the prevalence of zero day flaw disclosures. Platforms such as HP's ZDI purchase then confidentially report flaws to vendors, while Google has opted to directly pay out rewards to researchers who report Chrome vulnerabilities.
Redmond said that its bounty system would be divided into three operations, which will also address defense techniques and browser exploits. The three campaigns will offer rewards of $100,000, $50,000 and $11,000.
The most lucrative category will be in the disclosure of zero-day flaws and attack techniques in Windows. The six-figure reward will be offered to researchers who can present critical vulnerabilities in the latest patched version of Windows.
The company will offer $50,000 to researchers who can bring the company techniques for mitigating attacks on critical security vulnerabilities. Both programmes will be ongoing efforts for the company.
A third programme will run for a limited time and will ask researchers to bring forward flaws in the latest version of Windows. That contest will run from 26 June to 26 July and will carry a $11,000 payout.
They will also help to fill gaps in the current marketplace and enhance our relationships within this invaluable community, Microsoft security response center general manager Mike Reavey said of the programmes. All while making our products more secure for our customers.
The move represents an about face for a Microsoft group that was once an outspoken opponent of paying researchers for bug reports. In 2007 the firm said that bounty programmes were not healthy for the security community.
Once controversial, vulnerability payment programmes have become established as an effective way to connect security researchers with vendors and reduce the prevalence of zero day flaw disclosures. Platforms such as HP's ZDI purchase then confidentially report flaws to vendors, while Google has opted to directly pay out rewards to researchers who report Chrome vulnerabilities.
