Security Researcher Awarded $100,000 for Discovering Exploit in Windows 8.1


Today, Microsoft announced that security researcher, James Forshaw, has been awarded $100,000 for finding and reporting a new mitigation bypass exploit in Windows 8.1.  This is the biggest security bounty Microsoft has ever paid out to a single person.  According to the post, “… James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.”

Microsoft has yet to release the details of the exploit as they work to patch it first before making anymore information about it public.  If you’re a security researcher who’s interested in seeing if you can make such a big score, luckily for you, Microsoft explains in the blog post what they feel deserves a bigger payout:

The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

In total, Mr. Forshaw is walking away with $109,400 for all his exploit submissions.  I guess it pays to test this stuff out.