Microsoft will pay coders as much as $11,000 for discovering Web browser defects before hackers can serve up viruses through flawed dot-gov and other websites, the software giant announced on Tuesday.
Joining the "bug bounty" trend begun by Google and Mozilla, Microsoft will crowdsource error detection starting June 26, company officials said.
The firm wants to hear about "critical vulnerabilities” that affect Internet Explorer 11 Preview on Microsoft's new operating system, Windows 8.1 Preview. The direct cash payments for finding Internet Explorer defects only will be offered for one month, with a July 26 cutoff for submissions, according to the company's website.
"Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure," officials explained.
In May researchers identified a "watering hole" assault on the Labor Department's “Site Exposure Matrices” website that took advantage of an undetected vulnerability in certain IE browsers. The database lists nuclear-related illnesses linked to federal facilities and toxicity levels at each location that might have sickened employees developing atomic weapons. Watering hole attacks exploit glitches in websites to implant malicious software that then infiltrates the computers of people visiting the sites.
Under Microsoft’s program, $150,000 will be the top prize for programmers who discover and plug a hole in the new Windows operating system. Coders who discover "truly novel exploitation techniques against protections" in Windows 8.1 Preview will collect $100,000. Microsoft will shell out an additional $50,000 for "defensive ideas" that protect users from these threats.
Researchers at security firm Kaspersky Lab on Tuesday noted that for years Microsoft said it didn't need a bug bounty program,
"Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That’s no longer the case,” according to anentry on the lab’s blog.
Vulnerability brokers include researchers who sell "zero day" viruses that wriggle through previously unknown software flaws.
Chris Wysopal, chief technology officer at Veracode, told the lab, “Mitigation bypasses are very valuable on the open market," adding, "Microsoft is clearly trying to steer that research to them so they can make defensive improvements."
Wysopal said, “This should pay for itself as it would cost much more than the bounty to fix these in a patch. They should do this for all their beta products.”