A few days ago, Microsoft announced it had awarded a total of over $28,000 to six security researchers who found exploits in the preview version of Internet Explorer 11. Today, Microsoft announced one of those researchers, James Forshaw, has also been awarded a whopping $100,000 for finding and reporting a new mitigation bypass exploit in Windows 8.1.
The award was revealed on Microsoft's BlueHat blog and is the first such prize to be awarded by the company since it announced new ongoing software bounty programs in June. The blog stated that while a team member at Microsoft found a variant of the attack that Forshaw reported, it added, " ... James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty."
Microsoft has yet to reveal details of the Windows 8.1 exploit that Forshaw found (the company wants to address the problem first), but the blog gave the company's reason for paying such a huge amount for this discovery:
The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.
Combined with the IE11 exploits found by Forshaw, the amount of money Microsoft has awarded him is now up to $109,400.
Source: Microsoft | Image via Microsoft