CNET también está disponible en español.

Ir a español

Don't show this again

Culture

Microsoft boosts Bug Bounty program to fight software flaws

The maker of Windows and Office has revised its bug-hunting schemes with improved rewards, bonuses and the addition of new valid programs.

Bug bounties relating to operating system defenses have been doubled for a limited time. Microsoft

Microsoft is using the occasion of the Black Hat hacker conference as a springboard to unveil a new approach to bug bounties.

With the launch of Microsoft's latest operating system, the race is on to discover overlooked bugs and security flaws that could place users at risk. Microsoft's Windows operating system, alongside Flash and Java, is a constant target for cyberattackers due to the popularity and widespread use of the system.

Now that Windows 10 is available, it is important to entice as many researchers as possible to submit vulnerabilities before they become a widespread security challenge or are released into the underground markets for sale.

Jason Shirk, security architect at Microsoft, announced changes to the Redmond giant's bug bounty program on Wednesday alongside demos at the Black Hat conference in Las Vegas. In a blog post, Shirk said Microsoft's Bug Bounty programs have been revised with a number of changes.

Rewards for the Bounty for Defense, a reward for defensive ideas that accompany a qualifying Mitigation Bypass submission, have been raised from $50,000 to $100,000. Microsoft says this alteration "brings defense up on part with offense," of which the tech giant already offers the lure of up to $100,000 for "truly novel" exploits against the Windows operating system.

"Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would," Microsoft says.

The tech giant believes the "novel defender" should be rewarded "equally" for their research.

Microsoft is also placing more emphasis on combating authentication security flaws. If a researcher finds an authentication vulnerability and submits it through the Online Services Bug Bounty program within the "bonus" period of August 5 to October 5, their rewards will be doubled.

In other words, Microsoft Service Account and Azure Active Directory authentication vulnerabilities discovered within the two-month period can pay up to $30,000, rather than Microsoft's standard $500 to $15,000 reward.

Finally, the Redmond giant is adding RemoteApp to the list of domains covered in the Online Services Bug Bounty, which is used to run Windows apps hosted on Azure on a variety of devices.

On August 5, Microsoft rolled out its first package of non-security-related updates and fixes for Windows 10. Officially known as KB3081424, although dubbed "Service Release 1," the updates are delivered via Windows Update and includes functionality and reliability fixes.

This story was originally posted as 'Microsoft raises the bar for Bug Bounty programs' on ZDNet.