Over the last few weeks Google has embarrassed Microsoft twice by releasing information on security vulnerabilities in Windows 10 before Microsoft was ready to patch them.
Microsoft has now responded by doubling their bug bounty for a limited period, meaning security researchers can earn up to $30,000 if they find a serious bug in certain Microsoft services from the 1st March till the 31st May 2017.
Having bugs found by researchers paid by Microsoft would give Microsoft more control over the disclosure process and let them prioritise fixes themselves, rather than being forced by the 3-month schedule most independent researchers use before public disclosure.
Microsoft is offering rewards for services on the following domains:
The total list includes 18 domains and a further 37 eligible endpoints covered by the standard bug bounty.
Microsoft wants researchers to look for nine different types of bugs, including:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorised cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
While $30,000 may sound like a lot, security researchers may be rewarded much more by selling their find on the Dark Net, reports Enterprise Times, noting that a Zero Day vulnerability can fetch as much as $200,000 and that researchers can make even more if they develop the bug and sell it as part of a Malware as a Service platform. This would of course be highly illegal.
Researchers who are not on the dark side can read more about the bounty system at Technet here.