Microsoft awards its first $100,000 bounty for finding Windows 8.1 exploit

A few days ago, Microsoft announced it had awarded a total of over $28,000 to six security researchers who found exploits in the preview version of Internet Explorer 11. Today, Microsoft announced one of those researchers, James Forshaw, has also been awarded a whopping $100,000 for finding and reporting a new mitigation bypass exploit in Windows 8.1.

The award was revealed on Microsoft's BlueHat blog and is the first such prize to be awarded by the company since it announced new ongoing software bounty programs in June. The blog stated that while a team member at Microsoft found a variant of the attack that Forshaw reported, it added, " ... James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty."

Microsoft has yet to reveal details of the Windows 8.1 exploit that Forshaw found (the company wants to address the problem first), but the blog gave the company's reason for paying such a huge amount for this discovery:

The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

Combined with the IE11 exploits found by Forshaw, the amount of money Microsoft has awarded him is now up to $109,400.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Rumor: Nokia to launch Lumia 1320, code-named 'Batman'

Next Story

Ballmer: Touch-based Office coming to iPad, but don't look for iOS port of Outlook

22 Comments

Commenting is disabled on this article.

I wonder if the programmers that were in charge of the software portion that the exploit was found in loses part of their bonus check because of the bounty paid out?

texasghost said,
I wonder if the programmers that were in charge of the software portion that the exploit was found in loses part of their bonus check because of the bounty paid out?

Bonus? For a programmer? What is this "bonus" you speak of?

Small bugs may be "easily" found for those who do this for fun and has the knowledge to do so.

Something that gets awarded 100k is worth a lot of time and research and requires a fair bit of devotion to prove as such.

I would say, well done to the security researcher.

Spicoli said,
Well, go for it then if it's so easy.

I might I work with this kind of stuff so I'm pretty sure I know better than you how easy can this be.

adrynalyne said,
I bet. You are also a millionaire and a black belt in martial arts, right?

I'm actually almost black belt in ninjutsu

guitmz said,
easiest money of your lives

Well? Don't let us all hanging like this. How much money has MS paid you so far?

They paid me 1000 BRL for a Vista security event back then when I found a issue with windows defender.. After that I never tried again officially

guitmz said,
They paid me 1000 BRL for a Vista security event back then when I found a issue with windows defender.. After that I never tried again officially

Why not, if it's such easy money? If I thought it was easy money I'd put my money where my mouth is, and quit my job and live off of finding security holes like this.

is not that hard to find problems in windows but it takes time with testing, etc.. the way the OS works allows that. i'm too busy with work to waste my time on that (if i was in work vacation for example i'd try it). I get paid very well and im not greedy so i dont care

guitmz said,
is not that hard to find problems in windows but it takes time with testing, etc.. the way the OS works allows that. i'm too busy with work to waste my time on that (if i was in work vacation for example i'd try it). I get paid very well and im not greedy so i dont care

What I'm still after is your "easy money" claim, and this isn't helping your argument. Is your current job paying more than MS's bounties could if you were to do it full-time? If you were to break it down into time spent, I mean.