We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Microsoft trumpets early success in IE11 bug bounty

'A few submissions' so far, but strategy to uncover flaws during the browser's beta is working, says company

Microsoft today said it had received "a few submissions" so far for its Internet Explorer 11 (IE11) bug bounty program, the first for the company.

"We've received a few submissions to date for the IE11 Preview Bug Bounty and the Mitigation Bypass Bounty ... [and] the investigations are underway," said Katie Moussouris, a senior security strategist lead, on a company blog.

The IE11 bounty was announced June 19 and kicked off June 26, with a limited-time run until July 26. During the month-long program, Microsoft will pay researchers up to $11,000 for each IE11 vulnerability they find and report.

A beta of IE11 was released June 26 as part of a public preview of Windows 8.1, the upgrade for Windows 8 and Windows RT, that does not yet have a definitive launch date. Microsoft has said it will ship Windows 8.1 this fall.

The other program Moussouris mentioned, the Mitigation Bypass Bounty, while not a true bug bounty, will award up to $100,000 for any novel exploitation technique able to circumvent Windows 8.1's layered defenses.

Moussouris also claimed victory, even though the IE11 bounty has run just one week.

"Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over," she wrote. "This means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already."

In an interview two weeks ago, Moussouris said that Microsoft's first-ever bug bounty was designed to motivate researchers to report vulnerabilities during the browser's beta, a period when third-party bug bounty brokers have declined to purchase flaws.

Those brokers, including HP TippingPoint's Zero Day Initiative and VeriSign's iDefense, have historically not paid for bugs in beta code because they have no way of knowing whether the flaws will be fixed before a product is shipped to customers.

Rewards for new IE11 vulnerabilities range from $500 to more than $11,000, depending on the type of bug and the amount of background material, including a working exploit, that the researcher provides.

Microsoft has published guidelines for the IE11 Preview Bug Bounty program on its website.

This article, Microsoft trumpets early success in IE11 bug bounty, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.


IDG UK Sites

Amazon Kindle Voyage release date, price and specs UK: a high-end eReader with Amazon’s best-ever...

IDG UK Sites

Why local multiplayer gaming is rapidly vanishing: we look at the demise of split-screen and LAN...

IDG UK Sites

How to successfully bridge the gap between clients and creatives

IDG UK Sites

How to update your iPhone or iPad to iOS 8: including how to install iOS 8 if you don't have room