Microsoft has issued its first bug bounty award to a Google engineer. The software maker created several bug bounties late last month that will run until the end of July. The IE11 preview bug bounty awards up to $11,000 for critical vulnerabilities, and Google engineer Ivan Fratric is the first to be awarded for his vulnerability. Microsoft has traditionally avoided general and public bug bounty programs in the past, opting to hold smaller contests for specific exploits.
Microsoft's Katie Moussouris revealed that the company has issued its first bug bounty in a blog post recently, but Moussouris stopped short of identifying the individual involved. In a Twitter post on Thursday, Moussouris congratulated the Google employee on being the first to qualify for the IE11 bug bounty. The win is ironic, but not unusual. Google engineers regularly report security issues in Microsoft's software direct to the company, and some choose the open and public approach of disclosure.
Microsoft wants to squash bugs earlier
While Microsoft's bug bounty program offers up to $11,000 as a reward, it's not clear how much the company is paying for its first successful entry. "We have other researchers who have qualified for bounties under the IE11 program as well," notes Moussouris. Over a dozen issues have been reported to Microsoft in the first two weeks since the bug bounties launched, more than the company normally receives during an average month. Happy with its strategy so far, Moussouris explains that "It’s not about offering the most money," instead focusing on gathering the bugs during Microsoft's preview stages of product releases. With a more frequent cycle of updates planned for Windows, these bug bounty programs could become essential for Microsoft during its new focus on "rapid pace" software and services updates.