Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program.  It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community!  These programs will allow us to reward great work by researchers and improve the security of our software – all to the benefit of our customers.  Also, we just like to analyze and fix cool bugs!

Mitigation Bypass Bounty Program

Security features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) have made it increasingly difficult and costly to exploit vulnerabilities on modern systems.  As a consequence of this, good exploitation techniques that work reliably when exploiting vulnerabilities on modern systems have become increasingly valuable.  By learning about novel exploitation techniques, we can design better defenses that help protect our customers even when they are running software with an unknown vulnerability or a vulnerability that has not yet been addressed through a security update.  This is why we are announcing the Mitigation Bypass Bounty program.

Anatomy of a good report

A high quality submission to the mitigation bypass bounty program will describe and demonstrate a truly novel method of exploiting one or more memory corruption vulnerability classes when all modern mitigations are in place (e.g. DEP, ASLR, SEHOP, and so on).  For a submission to eligible, it must include a detailed whitepaper and a functioning exploit which demonstrates the exploitation technique against a real world remote code execution vulnerability. The technique must also meet a high bar: it must be generic and reliable, it must have reasonable requirements, it must apply to a high-risk user mode application domain, and it must be applicable to the latest version of our products.  The complete set of requirements can be found in the official rules.

A good example of an exploitation technique that could have qualified for the mitigation bypass bounty program is JIT spraying.  This technique was publicly described for the first time in 2010 by Dionysus Blazakis.  It outlined a method of leveraging a Just-In-Time compiler to generate large amounts of partially controlled instructions that could enable alternative instruction streams if executed at a misaligned offset.  As a result, an attacker can implicitly bypass DEP and ASLR and thereby more easily exploit many classes of memory corruption vulnerabilities.  In response to this exploitation technique, multiple software vendors have released JIT compilers that include built-in mitigations for JIT spraying.

BlueHat Bonus for Defense

In addition to encouraging researchers to report novel exploitation techniques, we also want to encourage submissions to include recommendations on how an exploitation technique can be mitigated.  Submissions that include a whitepaper that describes an effective, practical, and robust mitigation for a qualifying exploitation technique may qualify for up to an additional $50,000 USD bonus.

Internet Explorer 11 Preview Bug Bounty Program

The Security Research and Defense team worked with the core bounty program team to develop the bounty program bug bar for the Internet Explorer 11 Preview Bug Bounty:

Vulnerability Type

Crash dump

Proof of concept

Functioning exploit

Whitepaper

Sandbox escape

Base Payout Tier

RCE vulnerability

optional

required

required

required

required

Tier 0

Could exceed

$11,000 USD*

optional

required

required

required

optional

optional

required

required

optional

optional

Tier 1

maximum payment

$11,000 USD

optional

required

n/a

optional

optional

Tier 2

minimum payment

$1,100 USD*

Important or higher severity design-level vulnerability

optional

required

Proof of Concept is

sufficient

optional

optional

Eligible security bugs that also have privacy implications

optional

required

optional

optional

optional

ASLR Info Disclosure Vulnerability

optional

required

n/a

optional

n/a

Tier 3

minimum payment

$500 USD*

Sandbox Escape Vulnerability

optional

required

optional

optional

required

 

More detail on the submission criteria is available in the official guidelines.  One area worth highlighting is our additional focus on eligible security bugs that also have privacy implications.  While these bugs would be considered as vulnerabilities in their own right, we thought it was important to highlight them and actively incentivize research that furthers our longstanding commitment to privacy.

Anatomy of a good report

The quality and completeness of a submission determines not only the payout but also the priority in which it will be reviewed.  High quality submissions should include a detailed analysis of a vulnerability’s root cause in addition to a proof of concept that reliably reproduces the issue.  This information helps us rapidly confirm your findings so that you can get paid!

The highest rewards will go to submissions that include a fully functioning exploit which concretely demonstrates that remote code execution is possible.  This means the exploit must be capable of bypassing exploit mitigations such as DEP and ASLR.  These submissions allow us to study the exploitation techniques that were used to achieve code execution and thereby identify opportunities for new exploit mitigation features.  In this way, we can increase the cost and difficulty of exploiting entire classes of vulnerabilities rather than simply addressing a single vulnerability at a time.

Triage

The SRD team is also responsible for technical triage on issues as they come in.  We’ve invited several security researchers on contract with Microsoft to help us in this effort.  Our current roster of analysts is as follows:

  • Memory corruption issues
    • Richard van Eeden
    • Ken Johnson
    • Michal Chmielewski
    • Kostya Kortchinsky
    • Matt Miller

  • Design level issues
    • Mario Heiderich
    • Manuel Caballero
    • David Ross

 

  • Internet Explorer Engineering
    • Jim Fox
    • Wilson Guo
    • Forbes Higman
    • Prashant Singh

We are currently aiming to provide feedback and confirmation of payout within two weeks of a report.

Finally, please remember that the IE11 Preview Bug Bounty runs between June 26 and July 26, 2013, so make sure to get your reports wrapped up and submitted in time.

Next steps

We are incredibly excited to get these programs underway and are really looking forward to seeing the submissions that come in. 

 - Matt Miller and David Ross, SRD Bloggers

*Postings are provided "AS IS" with no warranties, and confer no rights.*