View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Hardware
October 8, 2013

UK security researcher wins first Microsoft $100,000 bounty

Bounty programme yields reward for James Forshaw after discovering design level bugs on 1E11 preview.

By Claire Vanner

James Forshaw, head of vulnerability research at UK-based Context Information Security, is the first recipient of a Microsoft $100,000 Bounty for New Mitigation Bypass Techniques.

The bounty programme was one of three introduced in June this year to pay researchers for techniques that bypass built-in OS mitigations and protections, for defences that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview.

Microsoft Blue Hat blog announced that Forshaw has already benefited from discovering design level bugs during the IE11 Preview Bug Bounty, taking total bounty earnings to $109,400.

Microsoft is not providing details of this new mitigation bypass technique until it is addressed, but says that the reason it pays so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps to develop defences against entire classes of attack.

Strengthening platform-wide mitigations, makes it harder to exploit bugs in all software running on the Microsoft platform and not just Microsoft applications.

"Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs," Forshaw said.

"I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful. Receiving the recognition for my entry is exciting to me and my employer Context. It also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers."

Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing commented: "We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James’ entry will help us improve our platform-wide defences and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.