Microsoft has just paid its first ‘bug bounty’ – a payment for discovering and reporting a critical vulnerability in Windows 8.1 – to a Google engineer, for a bug found in the preview version of Internet Explorer 11.
The security community has responded enthusiastically to our new bounty programs, submitting over a dozen issues for us to investigate in just the first two weeks since the programs opened. I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)
Offering cash rewards for reporting bugs is fairly common, Google and Facebook being well-known examples. Although the sums offered – typically single-digit thousands – don’t compete with the sums available for selling the info on the black market to those who want to exploit it, it’s thought to encourage those who wouldn’t ever sell to the bad guys to file prompt reports. The maximum amount paid by Microsoft under this program is $11,000.
Microsoft had long resisted bounty payments, arguing that 90 percent of vulnerabilities were reported to the company anyway, but is now experimenting with the idea on a small scale.
Microsoft criticised Google back in May for making vulnerabilities public after just seven days rather than sixty, arguing that a week didn’t allow sufficient time to respond. Google countered that where an exploit is already in use, urgent publicity is required to allow users to protect themselves.
Google has a strong interest in the security of Microsoft software. When Chinese hackers broke into Google, they used a number of Microsoft vulnerabilities to do so.