Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Microsoft Bug Bounties Flow To Googlers (securityledger.com)

chicksdaddy writes: Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. The Security Ledger reports that two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company’s bounty program.

Fermín Serna, a researcher in Google’s Mountain View, California headquarters, told The Security Ledger that he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft’s Address Space Layout Randomization (or ASLR) technology.

His bounty followed the first ever (officially) paid to a researcher by Microsoft (https://securityledger.com/2013/07/microsoft-set-to-pay-first-bug-bounty-for-ie-hole/): a bounty that went to Serna’s colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Fratic (@ifsecure) acknowledged the honor in a July 11 post on his Twitter account.

In an e-mail exchange with The Security Ledger, Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. “Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,” he said.

Microsoft announced its first bounty on July 10 and said it had many more submissions that were likely to earn pay-outs. Serna said that other bounties had been issued in addition to the one he received. Microsoft told The Security Ledger that it has, in accordance with the program, "notified some researchers that they will receive bounties."

As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was “way less” than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). “But stillnice!” He plans to donate his windfall to a local animal shelter in Seattle. Awwww!!!!

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Microsoft Bug Bounties Flow To Googlers

Comments Filter:

news: gotcha