Archive

Archive for the ‘Bounty Programs’ Category

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – Bounty for Defense, Authentication Bonus, and RemoteApp

August 5th, 2015 No comments

I am very pleased to be releasing additional expansions of the Microsoft Bounty Programs. Please stop by the Microsoft Networking Lounge at Black Hat, August 5-6, to learn more about these programs; or, visit https://aka.ms/BugBounty. We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD. I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty. We will be running an onsite contest at Black Hat in Las Vegas, August 5-6, related to this effort. Lastly, we are adding RemoteApp to the list of domains covered in the Online Services Bug Bounty.

The changes to the Bounty for Defense reflect the continuing evolution of the Microsoft Bounty Program, based on the feedback and opportunities brought to us from the Security Research Community.

  • Raising the Bounty for Defense from $50,000 USD to $100,000 USD
    • Brings defense up on par with offense
    • Rewards the novel defender equally for their research

This continued evolution includes a new approach to the Online Services Bug Bounty Program:

  • Authentication vulnerabilities will receive double bounty payouts
    • Microsoft Account (MSA) and Azure Active Directory (AAD) vulnerabilities
    • Bonus period will run from August 5, 2015 – October 5, 2015
    • All payouts during this period will receive twice the normal payout (that means we will pay $30,000 USD for a great Authentication vulnerability!)
  • MSA contest at Black Hat
    • Come show us your 1337 skills and win an Xbox One, Surface 3, or one year of full MSDN access
    • Come visit us at the Microsoft Networking Lounge, August 5-6, in Mandalay Bay to review full rules and to participate
  • RemoteApp
    • RemoteApp lets users run Windows apps hosted in Azure anywhere, and on a variety of devices
    • RemoteApp is being added as a new property of the Online Services Bug Bounty Program and all of the regular terms and payout rules apply

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

It has been great to see the reaction from the research community to the Microsoft Edge Bug Bounty, and the Azure addition to the Online Services Bug Bounty Program. I hope to see equal enthusiasm for these new editions!

You can always find the most up-to-date information about the Microsoft Bounty Programs at https://aka.ms/BugBounty and in the associated terms and FAQs.

Thank you!

Jason Shirk

Categories: Bounty Programs Tags:

Microsoft Bounty Programs Expansion – Bounty for Defense, Authentication Bonus, and RemoteApp

August 5th, 2015 No comments

I am very pleased to be releasing additional expansions of the Microsoft Bounty Programs. Please stop by the Microsoft Networking Lounge at Black Hat, August 5-6, to learn more about these programs; or, visit https://aka.ms/BugBounty. We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD. I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty. We will be running an onsite contest at Black Hat in Las Vegas, August 5-6, related to this effort. Lastly, we are adding RemoteApp to the list of domains covered in the Online Services Bug Bounty.

The changes to the Bounty for Defense reflect the continuing evolution of the Microsoft Bounty Program, based on the feedback and opportunities brought to us from the Security Research Community.

  • Raising the Bounty for Defense from $50,000 USD to $100,000 USD
    • Brings defense up on par with offense
    • Rewards the novel defender equally for their research

This continued evolution includes a new approach to the Online Services Bug Bounty Program:

  • Authentication vulnerabilities will receive double bounty payouts
    • Microsoft Account (MSA) and Azure Active Directory (AAD) vulnerabilities
    • Bonus period will run from August 5, 2015 – October 5, 2015
    • All payouts during this period will receive twice the normal payout (that means we will pay $30,000 USD for a great Authentication vulnerability!)
  • MSA contest at Black Hat
    • Come show us your 1337 skills and win an Xbox One, Surface 3, or one year of full MSDN access
    • Come visit us at the Microsoft Networking Lounge, August 5-6, in Mandalay Bay to review full rules and to participate
  • RemoteApp
    • RemoteApp lets users run Windows apps hosted in Azure anywhere, and on a variety of devices
    • RemoteApp is being added as a new property of the Online Services Bug Bounty Program and all of the regular terms and payout rules apply

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

It has been great to see the reaction from the research community to the Microsoft Edge Bug Bounty, and the Azure addition to the Online Services Bug Bounty Program. I hope to see equal enthusiasm for these new editions!

You can always find the most up-to-date information about the Microsoft Bounty Programs at https://aka.ms/BugBounty and in the associated terms and FAQs.

Thank you!

Jason Shirk

Categories: Bounty Programs Tags:

Microsoft Bounty Programs Expansion – Bounty for Defense, Authentication Bonus, and RemoteApp

August 5th, 2015 No comments

I am very pleased to be releasing additional expansions of the Microsoft Bounty Programs. Please stop by the Microsoft Networking Lounge at Black Hat, August 5-6, to learn more about these programs; or, visit https://aka.ms/BugBounty. We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD. I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty. We will be running an onsite contest at Black Hat in Las Vegas, August 5-6, related to this effort. Lastly, we are adding RemoteApp to the list of domains covered in the Online Services Bug Bounty.

The changes to the Bounty for Defense reflect the continuing evolution of the Microsoft Bounty Program, based on the feedback and opportunities brought to us from the Security Research Community.

  • Raising the Bounty for Defense from $50,000 USD to $100,000 USD
    • Brings defense up on par with offense
    • Rewards the novel defender equally for their research

This continued evolution includes a new approach to the Online Services Bug Bounty Program:

  • Authentication vulnerabilities will receive double bounty payouts
    • Microsoft Account (MSA) and Azure Active Directory (AAD) vulnerabilities
    • Bonus period will run from August 5, 2015 – October 5, 2015
    • All payouts during this period will receive twice the normal payout (that means we will pay $30,000 USD for a great Authentication vulnerability!)
  • MSA contest at Black Hat
    • Come show us your 1337 skills and win an Xbox One, Surface 3, or one year of full MSDN access
    • Come visit us at the Microsoft Networking Lounge, August 5-6, in Mandalay Bay to review full rules and to participate
  • RemoteApp
    • RemoteApp lets users run Windows apps hosted in Azure anywhere, and on a variety of devices
    • RemoteApp is being added as a new property of the Online Services Bug Bounty Program and all of the regular terms and payout rules apply

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

It has been great to see the reaction from the research community to the Microsoft Edge Bug Bounty, and the Azure addition to the Online Services Bug Bounty Program. I hope to see equal enthusiasm for these new editions!

You can always find the most up-to-date information about the Microsoft Bounty Programs at https://aka.ms/BugBounty and in the associated terms and FAQs.

Thank you!

Jason Shirk

Categories: Bounty Programs Tags:

An update on the bounty programs

October 8th, 2013 No comments

Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some additional details about the results of the IE11 Preview bounty program, which covered the first 30 days of the preview period. Today, we are announcing James Forshaw, a security researcher with Context Information Security, has been awarded the first Mitigation Bypass Bounty, which comes with a prize of $100,000.00. As a reminder, this is an ongoing program, so if you are interested in participating, check out all the details here.

An update on the bounty programs

October 8th, 2013 No comments

Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some additional details about the results of the IE11 Preview bounty program, which covered the first 30 days of the preview period. Today, we are announcing James Forshaw, a security researcher with Context Information Security, has been awarded the first Mitigation Bypass Bounty, which comes with a prize of $100,000.00. As a reminder, this is an ongoing program, so if you are interested in participating, check out all the details here.

Announcing the Microsoft Bounty Programs

June 19th, 2013 No comments

Over the years, we’ve put a lot of work into helping secure the computing ecosystem and limiting the number of issues in our products. The security researcher community is critical to these efforts, as they help us find vulnerabilities in our software that we may have missed. 

Now we’re taking it even further. We’re launching three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. Please visit here for more details.

Best of luck and I look forward to seeing your submissions.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Categories: Announcements, Bounty Programs Tags: