James Forshaw, head of vulnerability research at London security consulting firm Context Information Security, won Microsoft's first reward of that sum for discovering “a new exploitation technique” in Windows 8.1, the software giant said on Tuesday.
Microsoft was already familiar with Forshaw. He recently earned $9,400 for finding vulnerabilities in a preview release of Internet Explorer 11. He’s also reaped rewards from Hewlett-Packard Co. and other software companies for his work in exposing security exploitations and flaws.
Tech companies paying hackers for discovering security vulnerabilities has become a common practice in the software development industry. Microsoft is one of the most recent to join in, debuting in June its bug bounty program that so far has paid researchers more than $128,000—with about 85 percent of that amount going to Forshaw alone.
Since 2010, Google has paid out more than two million dollars to “ethical hackers” who have found security weaknesses in its online tools and web apps. Facebook’s program has been around two years and has awarded more than a million dollars for bug discoveries. Last month the social networking site dished out $12,500 for the identification of a major software vulnerability, and while the amount was a big deal at the time, it now seems like peanuts next to Forshaw’s haul
Katie Moussouris,Senior Security Strategist in her blog post said
The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.
No comments:
Post a Comment