recommended reading

$11,000 for Anyone Who Spots an Internet Explorer Bug Before Dot-gov Hackers

Adriano Castelli/Shutterstock.com

Microsoft will pay coders as much as $11,000 for discovering Web browser defects before hackers can serve up viruses through flawed dot-gov and other websites, the software giant announced on Tuesday.

Joining the "bug bounty" trend begun by Google and Mozilla, Microsoft will crowdsource error detection starting June 26, company officials said.

The firm wants to hear about "critical vulnerabilities” that affect Internet Explorer 11 Preview on Microsoft's new operating system, Windows 8.1 Preview. The direct cash payments for finding Internet Explorer defects only will be offered for one month, with a July 26 cutoff for submissions, according to the company's website. 

"Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure," officials explained. 

In May researchers identified a "watering hole" assault on the Labor Department's “Site Exposure Matrices” website  that took advantage of an undetected vulnerability in certain IE browsers. The database lists nuclear-related illnesses linked to federal facilities and toxicity levels at each location that might have sickened employees developing atomic weapons. Watering hole attacks exploit glitches in websites to implant malicious software that then infiltrates the computers of people visiting the sites.

Under Microsoft’s program, $150,000 will be the top prize for programmers who discover and plug a hole in the new Windows operating system. Coders who discover "truly novel exploitation techniques against protections" in Windows 8.1 Preview will collect $100,000. Microsoft will shell out an additional $50,000 for "defensive ideas" that protect users from these threats.

Researchers at security firm Kaspersky Lab on Tuesday noted that for years Microsoft said it didn't need a bug bounty program

"Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That’s no longer the case,” according to anentry on the lab’s blog.

Vulnerability brokers include researchers who sell "zero day" viruses that wriggle through previously unknown software flaws.

Chris Wysopal, chief technology officer at Veracode, told the lab, “Mitigation bypasses are very valuable on the open market," adding, "Microsoft is clearly trying to steer that research to them so they can make defensive improvements." 

Wysopal said, “This should pay for itself as it would cost much more than the bounty to fix these in a patch.  They should do this for all their beta products.”

(Image via Adriano Castelli / Shutterstock.com)

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.