recommended reading

$11,000 for Anyone Who Spots an Internet Explorer Bug Before Dot-gov Hackers

Adriano Castelli/Shutterstock.com

Microsoft will pay coders as much as $11,000 for discovering Web browser defects before hackers can serve up viruses through flawed dot-gov and other websites, the software giant announced on Tuesday.

Joining the "bug bounty" trend begun by Google and Mozilla, Microsoft will crowdsource error detection starting June 26, company officials said.

The firm wants to hear about "critical vulnerabilities” that affect Internet Explorer 11 Preview on Microsoft's new operating system, Windows 8.1 Preview. The direct cash payments for finding Internet Explorer defects only will be offered for one month, with a July 26 cutoff for submissions, according to the company's website. 

"Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure," officials explained. 

In May researchers identified a "watering hole" assault on the Labor Department's “Site Exposure Matrices” website  that took advantage of an undetected vulnerability in certain IE browsers. The database lists nuclear-related illnesses linked to federal facilities and toxicity levels at each location that might have sickened employees developing atomic weapons. Watering hole attacks exploit glitches in websites to implant malicious software that then infiltrates the computers of people visiting the sites.

Under Microsoft’s program, $150,000 will be the top prize for programmers who discover and plug a hole in the new Windows operating system. Coders who discover "truly novel exploitation techniques against protections" in Windows 8.1 Preview will collect $100,000. Microsoft will shell out an additional $50,000 for "defensive ideas" that protect users from these threats.

Researchers at security firm Kaspersky Lab on Tuesday noted that for years Microsoft said it didn't need a bug bounty program

"Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That’s no longer the case,” according to anentry on the lab’s blog.

Vulnerability brokers include researchers who sell "zero day" viruses that wriggle through previously unknown software flaws.

Chris Wysopal, chief technology officer at Veracode, told the lab, “Mitigation bypasses are very valuable on the open market," adding, "Microsoft is clearly trying to steer that research to them so they can make defensive improvements." 

Wysopal said, “This should pay for itself as it would cost much more than the bounty to fix these in a patch.  They should do this for all their beta products.”

(Image via Adriano Castelli / Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.