Microsoft says it got 'few submissions' for IE11 bug bounty program

Microsoft says it got 'few submissions' for IE11 bug bounty program

PanARMENIAN.Net - Microsoft said it had received "a few submissions" so far for its Internet Explorer 11 (IE11) bug bounty program, the first for the company, according to PCWorld.

"We've received a few submissions to date for the IE11 Preview Bug Bounty and the Mitigation Bypass Bounty ... [and] the investigations are underway," said Katie Moussouris, a senior security strategist lead, on a company blog.

The IE11 bounty was announced June 19 and kicked off June 26, with a limited-time run until July 26. During the month-long program, Microsoft will pay researchers up to $11,000 for each IE11 vulnerability they find and report.

A beta of IE11 was released June 26 as part of a public preview of Windows 8.1, the upgrade for Windows 8 and Windows RT, that does not yet have a definitive launch date. Microsoft has said it will ship Windows 8.1 this fall.

The other program Moussouris mentioned, the Mitigation Bypass Bounty, while not a true bug bounty, will award up to $100,000 for any novel exploitation technique able to circumvent Windows 8.1's layered defenses.

Moussouris also claimed victory, even after the IE11 bounty had run just one week.

"Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over," she wrote. "This means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already."

In an interview two weeks ago, Moussouris said that Microsoft's first-ever bug bounty was designed to motivate researchers to report vulnerabilities during the browser's beta, a period when third-party bug bounty brokers have declined to purchase flaws.

Those brokers, including HP TippingPoint's Zero Day Initiative and VeriSign's iDefense, have historically not paid for bugs in beta code because they have no way of knowing whether the flaws will be fixed before a product is shipped to customers.

Rewards for new IE11 vulnerabilities range from $500 to more than $11,000, depending on the type of bug and the amount of background material, including a working exploit, that the researcher provides.

Microsoft has published guidelines for the IE11 Preview Bug Bounty program on its website.

 Top stories
Samsung Electronics saw a 20% year-on-year drop in its last quarter's profit. It blamed "slow global sales of smartphones".
Google is working with a host of Asian telecoms giants - China Mobile, China Telecom, Global Transit, KDDI, and SingTel.
Facebook is hoping PrivateCore's technology will help make its own systems more secure, according to Joe Sullivan.
Already on sale in the U.S., Canada and Japan, the devices is now set for release in other markets from August 28 .
Partner news