Microsoft Pays Hacking Expert $100,000 for Finding Security Flaw
For finding security flaws in its software, Microsoft paid a well-known hacking expert one hundred thousand dollars this week, one of the largest bounties ever awarded by a major company for white-hat work.
James Forshaw, head of vulnerability research at London security consulting firm Context Information Security, won Microsoft's first reward of that sum for discovering “a new exploitation technique” in Windows 8.1, the software giant said on Tuesday. The company can now improve its security on multiple levels and create new defenses for future versions of products, Katie Moussouris, senior security strategist at the Microsoft Security Response Center, wrote in a blog post.
Though she wouldn’t disclose details about the mitigation bypass technique Forshaw identified until the company addresses it, Moussouris continued:
The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.
Microsoft was already familiar with Forshaw. He recently earned $9,400 for finding vulnerabilities in a preview release of Internet Explorer 11. He’s also reaped rewards from Hewlett-Packard Co. and other software companies for his work in exposing security exploitations and flaws.
Tech companies paying hackers for discovering security vulnerabilities has become a common practice in the software development industry. Microsoft is one of the most recent to join in, debuting in June its bug bounty program that so far has paid researchers more than $128,000—with about 85 percent of that amount going to Forshaw alone.
Since 2010, Google has paid out more than two million dollars to “ethical hackers” who have found security weaknesses in its online tools and web apps. Facebook’s program has been around two years and has awarded more than a million dollars for bug discoveries. Last month the social networking site dished out $12,500 for the identification of a major software vulnerability, and while the amount was a big deal at the time, it now seems like peanuts next to Forshaw’s haul.
In June, researchers from the University of California, Berkeley published a paper examining “vulnerability rewards programs” and concluded that they provide great value to the companies implementing them. Such programs, the three authors point out, are cost-effective because they deliver more results for the same payout amount as the salary of a full-time security researcher.
Do you agree with the UC Berkeley researchers’ conclusion? Have you participated in a bug bounty program, or would you? Tell us in the comments below.
