Microsoft has awarded its first ever $100,000 bounty to a security researcher who discovered a bug in Windows 8.1. The software giant has traditionally shied away from paying rewards for security issues, but the company announced its first bug bounties earlier this year specifically designed for Windows 8.1 and Internet Explorer 11. A Google engineer was first to profit from the bounties with a reward for an IE11 bug.
While Microsoft was offering up to $11,000 for IE exploits, the big money was invested in "truly novel" exploitation techniques against Windows 8.1. James Forshaw, a security researcher at Context Information Security, picked up the full $100,000 bounty for detailing a bug that worked around some protections in the preview version of Windows 8.1. Forshaw also previously won a bounty for his role in detecting an IE11 vulnerability. Microsoft isn't detailing the exploit until the company has fully addressed it.
Microsoft has paid out over $128,000 on bug bounties so far
"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," explains Microsoft's sensor security strategist Katie Moussouris. Although the IE11 bug bounty program is now closed, Microsoft is still seeking Windows 8.1 bugs. Microsoft has paid out over $128,000 so far.