Microsoft breaks bug-bounty virginity in $100,000 contest

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2013/06/19/microsoft_bug_bounty_black_hat/

By Iain Thomson in San Francisco
The Register
19th June 2013

Microsoft is breaking its long-standing tradition of not paying for security 
vulnerabilities by offering a $100,000 cash prize for the first penetration 
tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty 
hell that is Las Vegas at that time of year – Microsoft will offer $100,000 
(and a laptop) to the hacker who can demonstrate a critical vulnerability in 
Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they 
can tell Redmond how to fix a major flaw in the operating system. In addition, 
there's an $11,000 bounty on Internet Explorer 11 Preview Edition 
vulnerabilities – but with a 30 day time limit – presumably so that any new 
problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents 
point out that cash payouts are the only way for independent security 
researchers to make a living and that the resulting disclosures have immense 
benefits for end users. Opponents suggest that hackers should disclose 
responsibly as a matter of morality. Meanwhile, there's a thriving black market 
for software flaws, especially zero-day vulnerabilities.

[...]

_______________________________________________
ISN mailing list
ISN () lists infosecnews org
http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org