Microsoft has awarded $100,000 to James Forshaw, a security researcher at Context Information Security, for coming up with a new exploitation technique around the built-in protections of Windows 8.1. The announcement was made on Microsoft's BlueHat blog and marks the second payout since the company kicked off its first bounty programs earlier this year -- the first involved IE 11 and totaled $28,000 paid out to six security researchers.
The company isn't detailing the exploit until it is fully addressed. Coincidentally, Microsoft notes one of its own engineers found a variant of the attack that Forshaw reported, but his submission “was of such high quality and outlined some other variants” that they thought it deserved the maximum payment for new attack techniques.
Forshaw was also among the group of researchers who cashed in on the IE11 Preview Bug Bounty, bringing his total earnings up to $109,400. Not a bad week indeed. The Australian researcher has been credited with identifying several dozen software security bugs at similar events, including a $20,000 bounty from HP’s TippingPoint for exploiting Oracle's Java software at Pwn2Own.
Microsoft explains that payouts for new mitigation bypass techniques are far more generous than traditional bug exploits because learning about them helps the company develop defenses against entire classes of attack.
Commenting on the approach, Context Security’s Forshaw said, “Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offense to defense. It incentivizes researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.”
The company is also running a separate program called BlueHat Bonus for Defense that will award up to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.