Interview: We chat with the winner of Microsoft's first $100,000 Windows 8.1 bounty

Microsoft, for obvious reasons, wants people to use Windows 8.1 on their PCs with the knowledge that it has been created to as secure as possible. That's why the company launched new bounty programs in June that pay third party security researchers rewards if they find and report exploits in Windows 8.1 to Microsoft. This week, the company announced that researcher James Forshaw was the first to be awarded in their new bounty program and, as it turned out, the mitigation bypass exploit he found in Windows 8.1 was big enough that Microsoft awarded him the the full $100,000 prize.

Neowin got Forshaw to answer a few questions via email about himself and his reaction to winning the big bounty from Microsoft, among other topics:

First can you tell us a bit about your background in computer software security?

I have been working in the industry developing secure software and doing security research for over 10 years. Currently I am the Head of Vulnerability Research at Context Information Security which affords me a lot of freedom to pursue bounty programs such as this.

What was your reaction when Microsoft announced its new software bounty awards?

I was initially surprised that Microsoft had been able to have a bounty at all (last year’s Bluehat prize wasn’t quite the same thing). It did become clear however that they wanted to offer bounties for areas not traditionally handled by many of the other vulnerability brokers or vendors which I thought was an interesting approach to take.

You found what Microsoft says is a mitigation bypass exploit in Windows 8.1. We know you can't go into details about what you found but can you tell us how hard it was to find the exploit and how much time it took?

Overall my research took around 3 or 4 weeks, although there were some initial false starts due to some of my ideas not being viable approaches. The winning submission was perhaps 2 weeks of work from the initial idea to the final finished version which I sent to Microsoft. It was certainly an interesting challenge as Microsoft have done a lot of work to mitigate against security vulnerabilities.

You also found a number of issues in the preview version of IE11 which Microsoft also rewarded with a separate bounty. Did you use a different method to find exploits in IE11 than for Windows 8.1?

The approach was different, in so far as the mitigation bypass work started with more abstract ideas which I then attempted to validate while the IE11 exploits came from me reverse engineering the product and looking for vulnerabilities.

When you first heard that Microsoft was going to give you the full $100,000 bounty, what was your first reaction?

I was very happy to have the recognition that I had come up with something novel.

What do you plan to do with that money when you receive it?

The majority of the money will go to my employer, I head up a vulnerability research team at Context and it will be useful for that. I will receive a part of the money as a bonus but I do not yet know what I will do with it.

What are your feelings on Windows 8.1 as a whole in terms of security compared to older versions of Windows?

I feel 8.1 is certainly the most secure, at least in terms of mitigations against the exploitation of security vulnerabilities. Even compared to 8 there have been interesting changes which try to mitigate against whole classes of vulnerabilities. Still I am sure there is more to be done. 

Finally, if a person is interested in becoming a computer security researcher, what advice would you give him or her?

I would say study as much about software vulnerabilities as possible, understand existing exploits say by looking through the Metasploit source code, and get a good grasp of programming languages and lower level machine instructions. Most important to successful security research is persistence, unless you are extremely lucky you won’t find a new vulnerability in everything you look at, sometimes there are just no bugs to find. You need to be able to live with the occasional failure.

We would like to thank James for answering our questions!

Image via Microsoft

Report a problem with article
Previous Story

Valve: Some Steam Machines will also have AMD and Intel graphics chips

Next Story

Resellers hint at weak U.K. sales of Microsoft's Surface

11 Comments

Commenting is disabled on this article.

AsherGZ said,
What, why in hell would he give his employer any money?

It really depends on if he did the work on his company's time while using their resources. If he did, then technically the money belongs to his company. However if he did it all on his own time using his own resources then he shouldn't have to give anyone anything.

uxo22 said,

It really depends on if he did the work on his company's time while using their resources. If he did, then technically the money belongs to his company. However if he did it all on his own time using his own resources then he shouldn't have to give anyone anything.

Also depends on if he has a contract, and exactly what it says in that contract with his employer.

AsherGZ said,
What, why in hell would he give his employer any money?

It sounds like this was done not only as a personal venture but it's also part of his everyday job. Another question that could have been asked is what other current projects he may be working on (which was kind of answered when it came to IE11). Wouldn't be surprised if he and his team dedicate a lot of time contracting out for vulnerability testing and collecting bounties.

Either way, great work!

AsherGZ said,
What, why in hell would he give his employer any money?

Please excuse me if I am being somewhat negative here, however, that sounds a lot like military officer talk. It's very political. Chances are this was done by a whole team and this guy was in charge. I am sure the money will be distributed to the members and the company will get a nice shiny badge for security contracts.

Does someone have access to the rules? Maybe only a single person can claim these "prizes"? It would make sense if that's the case. I am too lazy to look.

xendrome said,

Also depends on if he has a contract, and exactly what it says in that contract with his employer.

nm

The takeaway? Windows 8.1, most secure Windows OS ever(perhaps even more secure than OS X in terms of built-in exploit mitigation& security).. Even more secure thanks to this guy and the bounty program.. godspeed to any diehard XP fans out there come april ha

dingl_ said,
The takeaway? Windows 8.1, most secure Windows OS ever(perhaps even more secure than OS X in terms of built-in exploit mitigation& security).. Even more secure thanks to this guy and the bounty program.. godspeed to any diehard XP fans out there come april ha

"Still I am sure there is more to be done."