In June, Microsoft announced it would be awarding money to people who come up with truly novel ways of getting around the protections in Windows 8.1 Preview, and to those who can find critical vulnerabilities in Internet Explorer 11 Preview.
Today, the company announced it’s awarding $100,000 to James Forshaw, a security vulnerability researcher with Context Information Security. Forshaw was awarded the Mitigation Bypass Bounty for coming up with a new exploitation technique around the protections in Windows 8.1 Preview.
(“Mitigation bypasses” are techniques of going around the protections in a system.)
Microsoft said it couldn’t offer details of the new mitigation bypass technique until the company addresses it.
Katie Moussouris, senior security strategist lead with Microsoft Trustworthy Computing, did say in a statement: “We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James’ entry will help us improve our platform-wide defenses and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues.”
Forshaw was already among those who won part of the $28,000 bug bounty awarded for finding IE11 Preview vulnerabilities.
Microsoft said it pays a much higher bounty for a new attack technique versus for an individual bug because “learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack.”
The IE11 Preview Bug Bounty program is now closed, but the Mitigation Bypass Bounty program and a BlueHat Bonus for Defense program for defensive ideas that block a qualifying mitigation bypass submission are ongoing.