James Forshaw, head of vulnerability research at UK-based Context Information Security, is the first recipient of a Microsoft $100,000 Bounty for New Mitigation Bypass Techniques.
The bounty programme was one of three introduced in June this year to pay researchers for techniques that bypass built-in OS mitigations and protections, for defences that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview.
Microsoft Blue Hat blog announced that Forshaw has already benefited from discovering design level bugs during the IE11 Preview Bug Bounty, taking total bounty earnings to $109,400.
Microsoft is not providing details of this new mitigation bypass technique until it is addressed, but says that the reason it pays so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps to develop defences against entire classes of attack.
Strengthening platform-wide mitigations, makes it harder to exploit bugs in all software running on the Microsoft platform and not just Microsoft applications.
"Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs," Forshaw said.
"I'm keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.
"To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful. Receiving the recognition for my entry is exciting to me and my employer Context. It also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers."
Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing commented: "We're thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James' entry will help us improve our platform-wide defences and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues."