Microsoft announced that it’s now willing to pay up to $100,000 for information about security bugs that can be used to bypass the defenses of Windows, starting with the upcoming preview version of Windows 8.1 to be released later this month.
For researchers who also detail new defensive techniques for preventing similar bugs from being exploited in the future, Microsoft will pitch in an extra $50,000 “Defense Bonus” per submission.
“These are super challenging to discover and they require a new technique, So to get people thinking in this area really does require a top-dollar reward.” says Mike Reavey, director of Microsoft’s Security Response Center.
Aside from those $100,000 and $50,000 bounties, Microsoft will also pay up to $11,000 for exploits affecting the preview version of Internet Explorer 11, a strategy designed to fix the software’s bugs before it’s widely released to users
Microsoft’s payouts compare to just $20,000 offered by Google for bugs in its Web applications, though the search firm did briefly offer $150,000 for a bug in its Chrome operating system in a competition in January and $60,000 for bugs in its Chrome browser the year before. Mozilla offers up to $3,000 for bugs in its software. Facebook pays a minimum of $500 but doesn’t specify its maximum reward.
Microsoft has created a reputation for working closely with the security research community, hiring hackers and hosting the Blue Hat security conferences in Redmond. At the Black Hat conference last year it awarded the first Blue Hat prize for researchers who develop defensive techniques against exploits, totally $260,000 in rewards.
Reavey says that the company has been receiving a growing stream of reports through third-party bug buying programs like the HP-owned Zero Day Initiative and Verisign’s iDefense, which pay up to $10,000 for bugs and report them the software’s vendor. It also saw the impact of events like the annual Pwn2Own competition, where hackers are sometimes paid six-figure rewards for developing advanced exploits against Microsoft products and then revealing their techniques.
“We find out about [these advanced exploits] once a year through these events, or unfortunately, in the wild,” says Reavey. “We want o get them year round as early and often as possible.”