Microsoft today expanded the list of who can participate in its $100,000 bug bounty for new mitigation bypass techniques. In addition to security researchers, responders and forensic experts who find active attacks in the wild can now also participate.
Microsoft explains this means it is going from accepting entries “from only a handful of individuals capable of inventing new mitigation bypass techniques on their own” to potentially “thousands of individuals or organizations who find attacks in the wild.” Both organizations and individuals are now eligible to submit proof-of-concept code and technical analysis of exploits they find in active use in the wild.
Furthermore, Microsoft notes participants are eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The submission criteria for both programs has not changed; it’s only the source of the submission that can be different.
Microsoft says the move is part of a broader strategy to hit criminals hard:
We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.
This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.
There’s just one caveat. Participation in the expanded bounty program requires that organizations pre-register with Microsoft before turning in a submission of concept code for bounty consideration. To do so, you’ll have to email the company at firstname.lastname@example.org and sign an agreement.
See also: Microsoft launches 3 bounty programs to award security folk up to $100,000 for finding flaws in its code and On Patch Tuesday’s 10th birthday, Microsoft awards first $100,000 bounty to security researcher for new exploit
Top Image Credit: AFP/Getty Images