The news of Windows 8.1 availability has sparked interest across the world.  We have a nice breakdown of what you will find in the latest release.  Many people are interested in what comes next from the software giant – everyone from retailers, to consumers, to the enterprise.  Make no mistake about it, hackers are watching too.   Those nefarious parties that write code to exploit systems are surely interested in not only the features, but what vulnerabilities arise from the latest OS.  Those vulnerabilities allow them to write code and malware to exploit weaknesses that are subsequently sold on the black market, modified on a daily basis even to the ends of cyber-criminal organizations.  You might even be able to touch back and link to these same weaknesses that allowed the cyber-warfare and cyber-surveillance operations that have hit the news in recent weeks. 

Microsoft launched a program yesterday that offers up to $100,000 to those parties that are able to discover and report exploits in Windows 8.1 and the updated Internet Explorer 11 internet browser product.  The timing bears particular significance in that the public preview version of Windows 8.1 was made the same day.  Microsoft is lining up three of these programs, the most prominent of which carries the $100,000 bounty, and is known as the “Mitigation Bypass Bounty”.  In this program they’re looking for innovative exploitation techniques that can defeat Windows 8.1’s security.  It’s not exactly clear what panel would judge this or what the standards are to meet the “truly novel exploitation” that Microsoft has challenged the community to explore.  The next program is known as the “BlueHat Bonus for Defense” – what Microsoft is asking for here is “defensive ideas that block a qualifying mitigation bypass technique”, and in return the parties that deliver that can be rewarded with up to $50,000.  This one plays like they are looking for techniques that can counter exploits the type of which are found in the first category. Finally, for those that can produce critical vulnerabilities in Internet Explorer 11, an up to $11,000 bounty is posted.

Friends, hackers, researchers! Want to help us protect customers, making some of our most popular products better? And earn money doing so? Step right up…

Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.

In 2002, we pioneered the Trustworthy Computing initiative to emphasize our commitment to doing what we believe best helps improve our customers’ computing experience. In the years since, we introduced the Security Development Lifecycle (SDL) process to build more secure technologies. We also championed Coordinated Vulnerability Disclosure (CVD), formed industry collaboration programs such as MAPP and MSVR, and created the BlueHat Prize to encourage research into defensive technologies. Our new bounty programs add fresh depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.

Microsoft has taken a lot of heat for a long time for the security weaknesses in Windows products.  Despite a visible amount of issues, that criticism hasn’t always been entirely fair.  Windows has a massive base and is the root and target of botnets, giant waves of malware, and other sources of internet security problems.  Microsoft has come a long way in developing better integration of anti-malware and significant improvements in Windows updates altogether.  They have been responsive to the community about security issues and update frequently based on those interactions.  This is just the latest in a string of concerted efforts to solidify the Windows market in the security realm.