One intrepid fellow was awarded $100,000 from Microsoft for discovering a bug in the preview version of Windows 8.1. Detailed on the Redmond company’s BlueHat blog, the bounty is part of an earlier initiative Microsoft detailed that challenged researchers to exploit its Windows and Internet explorer software. A Google engineer earlier this year was first to profit from Microsoft’s cash for bugs program, finding a vulnerability inside IE11.
The big money was awarded to James Forshaw, a security researcher working with Context Information Security. Microsoft said it is “thrilled” to hand the money over, and that Forshaw’s discovery will only make Windows 8.1 stronger. The company said Forshaw’s exploit was actually similar to a bug one of Microsoft’s own engineers discovered, though Forshaw’s was of the highest quality. Thus, he received the $100,000 bounty.
Microsoft said it doesn’t plan on revealing Forshaw’s exploits until they’re all patched up. “We are excited that we will be better able to protect customers by creating new defenses for future version of our products because we learned about this technique and its variants,” Microsoft wrote.
The reason Microsoft is taking the bug so seriously is because it actually helps the company defend against classes of attack; “This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers.”
Have a mitigation bypass technique you think Microsoft should know about? The company says anyone can participate, and that it’s not done evolving its bounty programs. A little extra $100,000 for some security research isn’t too bad. And, hey, it’s ultimately for a good cause, ensuring that current and future Windows version are that much stronger.