A UK-based security researcher has won the first $100,000 (£62,500) bounty from Microsoft for a mitigation bypass technique.
Introduced in June this year to pay for techniques that bypass built-in OS mitigations and protections for defences that stop such bypasses, and for vulnerabilities in the beta of Internet Explorer 11, the Blue Hat prize has been awarded to James Forshaw, head of vulnerability research at Context Information Security.
James Forshaw, head of vulnerability research at Context Information Security said:
“Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.
“To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful. Receiving the recognition for my entry is exciting to me and my employer Context, it also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.”
Forshaw has also benefited from the discovery of design level bugs, taking his total bounty earnings to $109,400 (£68,000). Microsoft said that it will not be releasing details of the technique until it is addressed.
Katie Moussouris, senior security strategist at Microsoft Security Response Center, said: “ James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.
“While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.
The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
