recommended reading

$11,000 for Anyone Who Spots an Internet Explorer Bug Before Dot-gov Hackers

Adriano Castelli/

Microsoft will pay coders as much as $11,000 for discovering Web browser defects before hackers can serve up viruses through flawed dot-gov and other websites, the software giant announced on Tuesday.

Joining the "bug bounty" trend begun by Google and Mozilla, Microsoft will crowdsource error detection starting June 26, company officials said.

The firm wants to hear about "critical vulnerabilities” that affect Internet Explorer 11 Preview on Microsoft's new operating system, Windows 8.1 Preview. The direct cash payments for finding Internet Explorer defects only will be offered for one month, with a July 26 cutoff for submissions, according to the company's website. 

"Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure," officials explained. 

In May researchers identified a "watering hole" assault on the Labor Department's “Site Exposure Matrices” website  that took advantage of an undetected vulnerability in certain IE browsers. The database lists nuclear-related illnesses linked to federal facilities and toxicity levels at each location that might have sickened employees developing atomic weapons. Watering hole attacks exploit glitches in websites to implant malicious software that then infiltrates the computers of people visiting the sites.

Under Microsoft’s program, $150,000 will be the top prize for programmers who discover and plug a hole in the new Windows operating system. Coders who discover "truly novel exploitation techniques against protections" in Windows 8.1 Preview will collect $100,000. Microsoft will shell out an additional $50,000 for "defensive ideas" that protect users from these threats.

Researchers at security firm Kaspersky Lab on Tuesday noted that for years Microsoft said it didn't need a bug bounty program

"Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That’s no longer the case,” according to anentry on the lab’s blog.

Vulnerability brokers include researchers who sell "zero day" viruses that wriggle through previously unknown software flaws.

Chris Wysopal, chief technology officer at Veracode, told the lab, “Mitigation bypasses are very valuable on the open market," adding, "Microsoft is clearly trying to steer that research to them so they can make defensive improvements." 

Wysopal said, “This should pay for itself as it would cost much more than the bounty to fix these in a patch.  They should do this for all their beta products.”

(Image via Adriano Castelli /

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.