Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Hands Out $28k In IE11 Bug Bounty Program

Unknown Lamer posted 1 year,14 days | from the freedom-not-included dept.

Microsoft 57

hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."

cancel ×

57 comments

Sorry! There are no comments related to the filter you selected.

It is just QA cost saving (5, Insightful)

faragon (789704) | 1 year,14 days | (#45067325)

So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

Re:It is just QA cost saving (1)

Anonymous Coward | 1 year,14 days | (#45067367)

This -> "miserable". What they pay out for a bug is not even a weeks salary for the marketing guys. Why help a "megacorp" when the reward is a pittance? If I thought it was worth it documenting all the bugs I find in MS products (and there are a few a week; and I am NOT a security researcher. Its just shit I stumble upon.) I would just post them online, screw the money.

Re:It is just QA cost saving (5, Insightful)

Anonymous Coward | 1 year,14 days | (#45067503)

You *should* post them online.

If you give MS secret notice and a heads up, then the NSA gets the bugs and exploits them, and MS takes ages to implement a fix. It's the real world here, they've been hacking Belgian telco's, Oil companies, banks using that trick. When discovered MS simply pretending it was a zero day expoit used by Russian or Chinese hackers and quickly rolled out a fix.

If you post it online on the other hand, we immediately know about it, and can immediately mitigate it by blocking that subsystem, or turning off this and that feature. Not perfect, but better than some military hacker only following orders.

Re:It is just QA cost saving (1)

ruir (2709173) | 1 year,13 days | (#45068871)

So you are saying Microsoft needs an exploit and that they would be able to program any backdoor they wanted. Does it even makes sense?

Re:It is just QA cost saving (1)

Anonymous Coward | 1 year,14 days | (#45067497)

I'm guessing at least some of those would be otherwise doing this for free, now they get both recognition and some money. Depending on how long it took to make their findings it might not even be a miserable amount (then again, it might).

And it's only for Internet Explorer and mitigation (2)

Myria (562655) | 1 year,13 days | (#45067557)

They only were offering bounties for two particular things in Windows: Internet Explorer 11 and the new anti-exploit mitigations in Windows 8.1. Even though there are plenty of other security targets in Windows, only those two things would get you money.

I found a bug in Windows's Secure Boot code that I'm using to jailbreak Windows RT. I might as well; it's not like they pay bug bounties for Secure Boot exploits.

The exploit could be used to run Android on Surface RT with a kexec-like driver implementation, but this would be a huge amount of work for someone who doesn't know Linux internals.

Re:It is just QA cost saving (2)

Gavagai80 (1275204) | 1 year,13 days | (#45067581)

It's a win-win, helps microsoft and helps the researchers. Nothing wrong with that. There's something to be said for getting people far removed from the project and company looking at it too, they'll catch things that Microsoft employees just never would because of different perspectives and processes and goals.

Re:It is just QA cost saving (1)

Nerdfest (867930) | 1 year,13 days | (#45068223)

It's also a win for all of those people who are stuck with Windows (or at least think they are). It's staill too dangerous to browse the web without protection in Windows.

Re:It is just QA cost saving (0)

Anonymous Coward | 1 year,13 days | (#45068339)

Not really, its a win-shitwin, researchers would be morally and financially better off selling it on the black market.

The prices are much better and you aren't part of the chain that sends drones off to kill people. (worst case i guess is identity fraud but people are insured here. Even if you have life insurance, it's not gonna bring you back to life after a drone strike)

Re:It is just QA cost saving (1)

synapse7 (1075571) | 1 year,13 days | (#45068607)

The problem with this is spammers may offer more than what MS is offering.

Re:It is just QA cost saving (2)

K. S. Kyosuke (729550) | 1 year,13 days | (#45067583)

So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

Well, it's a free market, auction it to the highest bidder. :-)

Re:It is just QA cost saving (1)

HockeyPuck (141947) | 1 year,13 days | (#45067747)

Is it miserable to the researchers? Whether they got $9400 or $500, surely they don't mind the cash. If you want MSFT to pay you $100,000 to find bugs, then apply for a QA position at MSFT and negotiate a $100k salary.

If I had the skills of a security researcher, I'd look at this as a way to make a few easy bucks.

Re:It is just QA cost saving (1)

Anonymous Coward | 1 year,13 days | (#45067949)

Agree, its f*cking cheap and typical MS (cut corners in all the wrong places, always), why not adopt properly documented reward system like Google? http://www.google.co.uk/about/appsecurity/reward-program/

To be fair (1)

SmallFurryCreature (593017) | 1 year,13 days | (#45068497)

That is a LOT of bug detectors who got 1 dollar from MS.

Re:To be fair (0)

Anonymous Coward | 1 year,13 days | (#45068985)

Yes, it seems to be the new positive spin on X vulnerabilities spotted in IE11

Re:It is just QA cost saving (1)

Shavano (2541114) | 1 year,13 days | (#45068955)

They're doing their software testing on the cheap, having users find the defects in their code for an amount of money that's not worth the time of software professionals. That sucks, but it's better than what they and everybody else used to do: release shamefully buggy software as a public beta test (whether or not they called it that) and expect users to report bugs for no compensation at all.

But look at it this way:

So they spend millions in developing the IE, including reviews, QA, etc. and they pay such miserable money for bug locating/fixing? Come on.

If IE11 has the expected number of bugs, they will still spend almost as much on testing as they did on development.

Re: It is just QA cost saving (0)

Anonymous Coward | 1 year,13 days | (#45069371)

But, I'm sure you think it's 'innovative' and 'forward thinking' when Google does the exact same thing.

Not that if expect anything less from anyone posting on this site.

Re: It is just QA cost saving (1)

tom229 (1640685) | 1 year,13 days | (#45069703)

My thoughts exactly. The entire bug bounty they paid for one of their flagship products is a fraction what my small business spends on Microsoft licencing per year. If I was any of the above people I'd just sell my findings to the malware companies.

Re:It is just QA cost saving (0)

Anonymous Coward | 1 year,13 days | (#45075715)

It just means that they don't want to pay for more than 2 days work in finding their bugs, provided that the people finding them are just out of the university, and have only basic skills. For a real developer it's probably closer to one day, maybe less. Guess they aren't all that serious about actually finding/fixing anything but the most obvious bugs.

Re:It is just QA cost saving (1)

lipanitech (2620815) | 1 year,11 days | (#45094671)

First time they have ever done this just shows I think all companies are going to have to start offering this unless they want there exploits sold on the black market. If java offered that much a bug they would have less problems.

Internet Explorer Trending UP (2)

tuppe666 (904118) | 1 year,14 days | (#45067413)

http://www.w3counter.com/trends [w3counter.com]
http://gs.statcounter.com/ [statcounter.com]
http://marketshare.hitslink.com/browser-market-share.aspx?qprid=1&qpcustomb=0 [hitslink.com]

There is an unexplained trend upwards in Internet Explorer

Re:Internet Explorer Trending UP (2, Interesting)

Anonymous Coward | 1 year,14 days | (#45067483)

It really isn't that hard to explain, while the crowd here hate anything MS, ie10 and ie11 are pretty decent, especially when browsers like firefox have gone downhill and people are starting to distrust the big bad google even more with spybrowser chrome. What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.

Love is the Answer (2, Insightful)

tuppe666 (904118) | 1 year,13 days | (#45067641)

...the crowd here hate anything MS...

If your answer includes "Microsoft is Hated" as a reason for anything you are right to not register here. Ignoring the fact that you sound like a sulky 16 year old girl. The mix here is far from being Linux and Apple centric. Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...but that would not stop them using IE. If it wants to be loved, producing decent products would be a good start.

The answer is unlikely to be a new version of IE (one over a year old and one unrealsed)..."better" is just another unmeasurable "meh" it does not cut it here, or anywhere. It is still vastly behind, platform centric option. If IE10 was any good (IE11 not yet released) it would have started making traction 13 months ago...not now.

Re:Love is the Answer (0)

Anonymous Coward | 1 year,13 days | (#45067705)

You just proved his/her point.

On a side note, some users may switch to new browser versions on day one, but companies don't. So expecting trends to visibly change around the release date of a browser is naive at best.

Why do I bother (1)

tuppe666 (904118) | 1 year,13 days | (#45067813)

trends to visibly change around the release date of a browser is naive at best.

That is not what I said. My point is that if a better(sic) browser was the reason for the years of Internet Explorer market decrease ironically despite vastly better browsers on the market, but it to happen it happen thirteen months after launch is inconceivable...people do not suddenly start getting old products without some catalyst for change, as even you claim the launch of the new version wasn't one(You go further claiming it couldn't be)

The bottom line is the catalyst for change is somewhere else. I suspect that Internet Explorer sudden change of fortune, is a side effect of another change.

Re:Why do I bother (0)

Anonymous Coward | 1 year,13 days | (#45067943)

I can't explain the trends either. But anyway, as a web developper (UI and usability asides, focusing on standards support and performance), IE is no longer bad. It even surpasses other browsers on certain things. It clearly leads when it comes to GPU acceleration, for example. I'm working on a canvas-based JavaScript game, and IE runs it the fastest on Windows. Same thing on Windows Phone. You could argue that's because they run on a Microsoft OS, but before IE9, other browsers were always clearly faster than IE on MS OSes.

Independent Measures (2)

tuppe666 (904118) | 1 year,13 days | (#45068181)

http://html5test.com/results/desktop.html [html5test.com]
Chrome score 463
Firefox score 414
Internet Explorer 10 scores 320(Internet explorer 8 XP users trapped on scores 42)

http://www.tomshardware.com/reviews/chrome-27-firefox-21-opera-next,3534-12.html [tomshardware.com] which benchmarks the various browsers extensively gives
Firefox score 326
Chrome score of 326
Internet Explorer 182

Re:Independent Measures (1)

Jaktar (975138) | 1 year,13 days | (#45068429)

Those numbers are nice and all but I just ran a tool that checks whether or not my browsers are Internet Explorer.

The only browser that passed the Internet Explorer test was Internet Explorer 10.

I also tested Pale Moon and Comodo Dragon and they both got 0% on the "Is my browser Internet Explorer" test.

Re:Independent Measures (1)

Crudely_Indecent (739699) | 1 year,13 days | (#45069217)

You really need to work on your delivery.

And the "Is my browser Internet Explorer" test replied:
Internet Explorer - but I hardly know 'er

Re:Why do I bother (0)

Anonymous Coward | 1 year,13 days | (#45068389)

You go, girl!

Re:Love is the Answer (0)

Anonymous Coward | 1 year,13 days | (#45067925)

Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...

Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.

There are plenty of good reasons right now to hate either of them just as much as MS. The only difference is that historically MS has been hated for longer.

The only real issue is here trust. If you have an issue with that, I suggest you use Firefox. Otherwise, IE10/11 is as good a browser as any other.

Black is White (3, Insightful)

tuppe666 (904118) | 1 year,13 days | (#45068097)

Microsoft is an abusive, customer hostile company that deserves to be hated. The reality is it isn't. People are fickle, and right now Microsoft is one disappointment after another...

Heh. The sad thing is that if you swap the names Google or Apple into that statement (or any of a number of other obvious names), it would hold just about as much truth.

Except its not even remotely true. Google move from strength to strength, and Apple are immune to criticism. Microsoft is surrounded by failure both in its traditional "monopoly" market windows and its new markets "products and services". Ballmer got stabbed in the front by Bill "my charity is better than yours" Gates "I don't have to pay tax". Its Xbone launch was anti-gamer.

Want Proof....http://www.interbrand.com/en/best-global-brands/2013/Best-Global-Brands-2013.aspx Apple is considered the top brand...Google the top riser.(Microsoft did rise a smigin though ;)

Re:Love is the Answer (-1)

Anonymous Coward | 1 year,13 days | (#45068025)

Microsoft is an abusive, customer hostile company that deserves to be hated.

Says the Linux zealot. Now here's another side: I used to hate Microsoft back when I was using my Amiga 500 simply because it was the thing to do. Years later I built my own PC and started with Windows 95. I've noticed a steady improvement over the years, yet I never really appreciated Microsoft until I used Linux and saw how terrible it was. I've also observed Linux zealots and so-called "advocates" lying, spreading FUD, and insulting people who either don't share the same fondness for Linux or express criticism.

Re:Love is the Answer (0)

Anonymous Coward | 1 year,13 days | (#45068045)

Sir. You're interrupting the anti-MS circle jerk. Move along.

Re:Love is the Answer (0)

Anonymous Coward | 1 year,13 days | (#45070335)

I can't even understand what you're saying. Is English not your first language?

Re:Internet Explorer Trending UP (1)

qaz123 (2841887) | 1 year,13 days | (#45067647)

Font rendering in IE11 on Windows 8 is poor. I'd like to use IE but because of this I can't

Re:Internet Explorer Trending UP (1)

cdrnet (1582149) | 1 year,13 days | (#45068011)

It can't possibly be worse than Chrome which has dreadful font rendering on Windows.

Re:Internet Explorer Trending UP (1)

cdrnet (1582149) | 1 year,13 days | (#45068021)

Correction: dreadful *Web*-font rendering. Normal system fonts are quite ok.

Re:Internet Explorer Trending UP (0)

Anonymous Coward | 1 year,13 days | (#45067829)

What I always find amazing though is that Opera never seems to catch on as a high flyer despite its consistent performance over the years.

Well, it's too late now. Nobody needs Chrome with a different theme.

Which is a shame, Presto was really nice.

Re:Internet Explorer Trending UP (1)

Lennie (16154) | 1 year,13 days | (#45069611)

No, new Windows installations only come with one browser.

If the browser works good enough, people don't install an other browser.

That is what is going on.

Re:Internet Explorer Trending UP (0)

Anonymous Coward | 1 year,13 days | (#45070235)

If you have ever used Opera, you know why it has never caught on.

Re:Internet Explorer Trending UP (0)

Anonymous Coward | 1 year,13 days | (#45067735)

firefox has gone to shit ever since versions 20 and beyond.
i really thought 24 was a winner but it's back to running like shit again.

quad core i7, 16 gigs of ram, high end nvidia video card, 100mbps internet and can't even watch a fucking youtube video.

chrome and ie for the win.

Firefox off topic. (1)

tuppe666 (904118) | 1 year,13 days | (#45067851)

can't even watch a fucking youtube video...chrome and ie for the win.

Ironically changes come at the expense of Chrome. Ignoring the fact that most users manage quite nicely to play videos on youtube, and it is unlikely that Google would not ensure that Firefox works well with youtube. Youtube has a HTML5 trial http://www.youtube.com/html5 [youtube.com] , and it works great. In other news the firefox team is working towards a Flash replacement "Shumway" http://www.areweflashyet.com/shumway/ [areweflashyet.com]

It looks like youtube is a reason for using Firefox not against, As for your hardware flash is fast enough to run on anything but an iPhone ;)

Re:Firefox off topic. (0)

Anonymous Coward | 1 year,13 days | (#45067895)

GP is probably one of those spergoids that never reboots and has 200 tabs open.. Welcome to reference leak country.

And NSA pays them how much for 0-day? (0)

Anonymous Coward | 1 year,14 days | (#45067467)

And they receive how much money from the NSA for providing them with details of zero-day exploits?

Are they still providing NSA with zero day exploits BTW? I assume the answer is yes.

Re:And NSA pays them how much for 0-day? (1)

Myria (562655) | 1 year,13 days | (#45067577)

And they receive how much money from the NSA for providing them with details of zero-day exploits?

Are they still providing NSA with zero day exploits BTW? I assume the answer is yes.

It's more likely that the NSA pays VUPEN rather than Microsoft. Paying Microsoft directly would have blowback.

Depends on the amount (1)

Anonymous Coward | 1 year,13 days | (#45067675)

It's unlikely to be cash, but gee, contracts. Big fat NSA surveillance equipment contracts. I can well believe those are the reward for the 0-day exploits.

I'm reminded of QWEST CEO, the only telco to resists the NSA illegal demands... and was prosecuted for insider trading and suspects it was reprisal.
https://www.techdirt.com/articles/20130927/14413024680/one-telco-exec-who-resisted-nsa-has-been-released-4-years-jail.shtml

However, one of the things he mentions is that as soon as he resisted the NSA's demands, a big NSA contract with QWEST was cancelled (as presumed punishment).

So it's not pocket change they're playing for here, it will be millions/ potentially billions of Microsoft revenue at stake for not playing along with NSA's power grab.

prying money from their cold dead hands (1)

ebonum (830686) | 1 year,13 days | (#45067629)

Microsoft:
3 months ending 2013-06-30:
Revenue: 19.896 Billion USD
Cost of goods/revenue sold: 5.602 Billion USD
Gross Profit: 14.294 Billion USD
Source:
https://www.google.com/finance?q=NASDAQ:MSFT&fstype=ii&ei=wcBTUtihB8z2qQHI8AE [google.com]

Out of their costs of goods sold, these researchers got 0.00049982%.
Me thinks their contribution to M$ is more than a few 10,000ths of 1%. They did what the 5.6 billion spent on internal people failed to do. And M$ doesn't have to pay their healthcare.

The cost of the meeting (hourly pay, room, overhead, etc.) for a bunch of execs at Microsoft to figure out how little to give these guys most likely cost more than 28,000 USD.

One can't help but to note that they gave the Google employees just enough to pay for dinner in downtown Palo Alto.

cheap skates (0)

Anonymous Coward | 1 year,13 days | (#45067731)

They would get a lot more on the black market. M$ should pay more.

The bloody industry is crap (1)

Imaman (2733027) | 1 year,13 days | (#45068165)

That's what you get when management shit-for-brains get to decide what buzzwords are relevant in a job application. Framework familiarity > actual skills. Coincidentally the reason I left teh biz.

IE11 is a great browser... (0)

Anonymous Coward | 1 year,13 days | (#45068455)

...for downloading Mozilla Firefox.

For 28k... (0)

Anonymous Coward | 1 year,13 days | (#45068563)

I would've told them not to bother with the Surface 2, most cost-efficient consulting ever!

Cheaper than hiring a security professional (0)

Anonymous Coward | 1 year,13 days | (#45068583)

Why hire a professional and pay a professional salary when they can get people to work for peanuts? Forget about a career.

Did you check Dr. Stock? (-1, Flamebait)

MaryAnnwhite (3389231) | 1 year,13 days | (#45068667)

I’d like to share a website info with you. I hope you like it. I liked it very much. It is very useful, you may value stock prices by yourself. It is like a fundamental stock price analysis calculator. I think it works correctly. For example, I tested for Intel’s stock price. The intrinsic value of Intel was calculated as 23.20 USD. Today’s highest stock price was 22.85 USD It was pretty good result. The important think is the system doesn’t use any previous or current stock price, while it is calculating the intrinsic value. I think that the calculator gives correct results. If you are interested in, you may visit http://www.drstock.org/ [drstock.org]

My experience with IE10 (0)

Anonymous Coward | 1 year,13 days | (#45070423)

Believe it or not, it's mostly positive. It has adblocking capability built in (tracking protection filters, though you have to download the lists from EasyList or Fanboy). It's... well, it's not as snappy as some of the more recent browsers, but it's not slow. It seems to render things correctly.

I do have one big complaint, though. They got rid of the upper right search box. I thought maybe they combined it into the URL bar, but I've been using it for several months and, if they did, I sure as heck can't figure out how to search from there. Maybe I disabled it by accident, but I certainly don't remember doing anything of the sort. I actually had to download and install Bing bar to get a freaking search box that I can readily use. That's crazy and there's no reason for it. The old design with the search box in the upper right worked just fine. Ugh.

IE is up to 11 now? I left at 6. (1)

MXB2001 (3023413) | 1 year,13 days | (#45072691)

Drat. And to think I could be making _big_ money if I only had kept up to date with my Operating System and it's preferred browser...

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?