Microsoft the worlds biggest software firm has truly and surely been shaken up by the rampant hackings taking place on the software front. Just yesterday Techworm brought to you the news of a email attachment which could open your computers doors to anti social elements that is, if you are using Windows Vista, Windows Server 2008, Office 2003, Office 2007 and Office 2010.
Today we bring all the ethical hackers, security researchers and hobby hackers a bit of good news. Microsoft has announced the first version or ‘evolution’ as Microsoft calls it, of its bounty program. You can take part in the bounty hunt with innovative and novel mitigation bypass techniques and defensive ideas for vulnerabilities and loop holes. Microsoft has specifically mentioned that groups operating as a team which will include responders and forensic experts who find active attacks in the wild, are a special welcome to the expedition.
And the bounty is huge. Microsoft will pay the would be bounty hunters a sum of $100,000 provided they find and discover the mitigation(defences or firewalls) bypass loopholes. Microsoft will add a bonus $50,000 if they submit a qualifying idea.
The object of the bounty program is simple and straight forward but the task is utterly difficult. You are to find loop holes or vulnerabilities in Microsoft Software’s defenses, or mitigations and infiltrate the software. Once you have done so you have to inform Microsoft about the individual bug which let you enter the system. Once the bug is proved, Microsoft will hand over the bounty prize.
Microsoft website gives details about the Bounty Program features as below
- Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.
- Offering researchers a $100,000 bounty to teach us new mitigation bypass techniques enables us to build better defenses into our products faster and to provide workarounds and mitigations through tools such as EMET.
- Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will work whenever possible with our MAPP program and engage our community network of defenders to help mitigate these attacks more rapidly.
If you are a ethical hacker, security researcher or plain lucky to find a bug, you can participate in the bounty hunt. Only you have to pre register yourself by emailing your details to firstname.lastname@example.org. After you preregister and sign an agreement, then Microsoft will accept an entry of technical write-up and proof of concept code for bounty consideration.
By the way, there is already a $100,000 bounty winner 🙂 you can read all about James Forshaw’s amazing win here.