Microsoft pays first IE11 preview bounty bug prize to Google employee

In June, Microsoft announced new "bounty programs" for people who could find exploits inside Windows 8.1 or vulnerabilities in the Internet Explorer 11 preview. This week, Microsoft announced that it has already informed one person that he has won money for finding an issue in IE11.

In a post on Microsoft's BlueHat blog penned by Katie Moussouris, a senior security strategist at Microsoft, the following announcement was made:

The security community has responded enthusiastically to our new bounty programs, submitting over a dozen issues for us to investigate in just the first two weeks since the programs opened.  I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)

While Moussouris did not name who won the first IE11 bug bounty in the blog, she user her Twitter account this week to name and congratulate the winner. He is Ivan Fratric, who actually won $50,000 in 2012 in Microsoft's BlueHat security programming contest. Fratric is currently working as an information security engineer at Google. It is currently unknown just how much Microsoft paid Fratric for his IE11 bug hunting, but Microsoft promised to pay up to $11,000 for each confirmed exploit.

While the Windows 8.1 bounty program is ongoing, the IE11 preview bounty program will end on July 26. Moussouris said a number of other researchers have also found exploits in IE11 and will be notified of that fact very soon. She added that as a result of this new bounty program, Microsoft has received more vulnerability reports than they normally do and have received more reports from security researchers that rarely, if ever, directly contact Microsoft.

Source: Microsoft via PCWorld | Image via Microsoft

Report a problem with article
Previous Story

Microsoft could bring some Xbox One digital sharing features back

Next Story

Russia considers going back to typewriters

17 Comments

Commenting is disabled on this article.

Can anyone explain to me why the fact that this guy is employed by Google is relevant to the story?

Unless he's finding bugs in a competitor's products on Google's time, I don't know why this is being brought up.

Actually, I know exactly why this is being brought up, but I'm wondering whether I've missed anything and that it actually turns out *being* relevant...

Anyone know if this is an exploit in the desktop or moden version of IE11 or both?
Fair play to the guy for doing this, i know he`s getting paid but it benefits the majority in the end.

Riggers said,
Anyone know if this is an exploit in the desktop or moden version of IE11 or both?
Fair play to the guy for doing this, i know he`s getting paid but it benefits the majority in the end.

They access the same engine and are a shared code base, so the chances are it would have existed in both.

In practice a bug could gain more access to cause harm in the desktop version due to only having one sandbox layer.

Oh the irony how Scroogle employees are reported bugs in IE11 and not bash against Microsoft or posting the vulnerability to the public.

don't worry, new patch bringforth new sets of vulnerabilities.
MS will keep 'introducing' new vulnerability so they could market the new IE12 later, claiming IE11 was insecure, repeat and rinse.

Torolol said,
don't worry, new patch bringforth new sets of vulnerabilities.
MS will keep 'introducing' new vulnerability so they could market the new IE12 later, claiming IE11 was insecure, repeat and rinse.

You can't possibly be serious with your comments. IE11 is actually an amazing browser - they really are stepping up their game even if they still have catching up to do with Chrome in terms of standards support. Also IE10/11 are actually really damn secure nowadays - I'm not afraid to say maybe even the browsers with the least vulnerabilities and security holes than the competition (including Chrome). I'm a web developer for living and actually use IE for all my personal browsing. With IE11 and it's new Developer Tools, I've been using Chrome less and less for work too...

This is the right way to go about things, unlike that other Google engineer who published an exploit without going to MS first.

Torolol said,
thats because it has less monetary incentive back then.

No, Tavis Ormandy, the Google engineer who did that, has an axe to grind with Microsoft and has been willing to act unethically in the process.

I think that should be pretty clear that Tavis shouldn't be listened to after he advised the general public to either not talk to Microsoft about product flaws, or to only talk to them through both a pseudonym and Tor. To date the only folks I've ever heard of Microsoft truly being hostile towards in security research are the folks who love improper disclosures.

Why, cause Google can't have highly skilled employees?
Or that Google employees don't have free time to spend.
It says Google employee, not Google.

If you'd look into this guy, he has been filing bug reports for IE and many more programs (not only from Microsoft) outside his work at Google.

Jaybonaut said,
Gotta admit, that's gotta burn.

IE vs Chrome: FIGHT

Its better to pay google to give the bug to microsoft than directly to virus and malware writers.