Cast your mind back to June and you might remember that Microsoft put out a bounty for flaws in Windows 8.1 and Internet Explorer 11. The company promised direct cash payments for those who could provide truly novel exploitation techniques built into Windows 8.1 Preview. Redmond promised up to $100,000.
Six months down the line, the company is paying the piper. The company updated its BlueHat blog, congratulating James Forshaw for coming up with a new exploitation technique. Forshaw is a security vulnerability researcher with Context Information Security and had already found design-level bugs in IE11 (in other words, this may be the biggest payment he's gotten from Microsoft, but it's not his first).
"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," Microsoft said today. "This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."
Unfortunately, Microsoft won't go into the details of Forshaw's exploit (it has to address the issue first), but the company did say that one of its own engineers also found a variant of this class of attack technique. Microsoft says it's already paid out over $128,000 thanks to its bounty programs. You can check out the guidelines for taking part here.