We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,263 News Articles

Microsoft trumpets early success in IE11 bug bounty

'A few submissions' so far, but strategy to uncover flaws during the browser's beta is working, says company

Microsoft today said it had received "a few submissions" so far for its Internet Explorer 11 (IE11) bug bounty program, the first for the company.

"We've received a few submissions to date for the IE11 Preview Bug Bounty and the Mitigation Bypass Bounty ... [and] the investigations are underway," said Katie Moussouris, a senior security strategist lead, on a company blog.

The IE11 bounty was announced June 19 and kicked off June 26, with a limited-time run until July 26. During the month-long program, Microsoft will pay researchers up to $11,000 for each IE11 vulnerability they find and report.

A beta of IE11 was released June 26 as part of a public preview of Windows 8.1, the upgrade for Windows 8 and Windows RT, that does not yet have a definitive launch date. Microsoft has said it will ship Windows 8.1 this fall.

The other program Moussouris mentioned, the Mitigation Bypass Bounty, while not a true bug bounty, will award up to $100,000 for any novel exploitation technique able to circumvent Windows 8.1's layered defenses.

Moussouris also claimed victory, even though the IE11 bounty has run just one week.

"Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over," she wrote. "This means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already."

In an interview two weeks ago, Moussouris said that Microsoft's first-ever bug bounty was designed to motivate researchers to report vulnerabilities during the browser's beta, a period when third-party bug bounty brokers have declined to purchase flaws.

Those brokers, including HP TippingPoint's Zero Day Initiative and VeriSign's iDefense, have historically not paid for bugs in beta code because they have no way of knowing whether the flaws will be fixed before a product is shipped to customers.

Rewards for new IE11 vulnerabilities range from $500 to more than $11,000, depending on the type of bug and the amount of background material, including a working exploit, that the researcher provides.

Microsoft has published guidelines for the IE11 Preview Bug Bounty program on its website.

This article, Microsoft trumpets early success in IE11 bug bounty, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.


IDG UK Sites

OnePlus Two release date rumours: Something's happening on 22 July

IDG UK Sites

13in MacBook Air review, Apple's MacBook Air 2014 reviewed

IDG UK Sites

5 reasons to buy an electric car and 5 reasons not to

IDG UK Sites

Just graduated? Learn all you need to know to kickstart your career in our Creative Graduate Guide