Skip to main content
Rate:  

Mitigation Bypass Bounty and BlueHat Bonus for Defense Program

 
 
Getting started

What are the official guidelines for Microsoft’s bounty program?

Please see complete Mitigation Bypass bounty and BlueHat Bonus for Defense program guidelines here.


Where can I get the version of Microsoft’s platform that is in scope for bounties?

Download the latest version of Windows here.


How long will the program run?

The Mitigation Bypass Bounty and BlueHat Bonus for Defense Programs will run indefinitely, at Microsoft’s discretion.


Is product [x] in scope for the bounty programs?

Please read the above guidelines to understand what is currently in scope for Microsoft’s bounty programs. New bounty programs will be announced on the BlueHat Blog and on the bounty website.

 

Can I get a list of mitigation bypasses/defensive ideas, so I don’t enter something you don’t already know about?

We cannot provide a list of ideas we have evaluated.

 
Questions about the past and future of Microsoft bounty programs

When are you going to add a bounty for [x]?

We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.

 

I submitted a vulnerability before you had bounties. Can I get paid?

We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from acknowledgement in a Microsoft bulletin to invitations to events like the Researcher Appreciation Party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.

 

What was that Internet Explorer bounty all about?

The Internet Explorer 11 Preview bounty is now closed. It was active from June 26, 2013 - July 26, 2013. For a historical look at the Internet Explorer 11 Preview bounty guidelines, please see details here. To see a list of the smart researchers who participate in our bounty programs, see the Hall of Fame here.

 

 

Bounty Evolution

 

General Q&A

What’s the news I heard about in November 2013 regarding the expansion of the Mitigation Bypass Bounty?

As of November 4, 2013, Microsoft started accepting submissions for bounty consideration from those who discover new mitigation bypass techniques being used in active attacks. This requires pre-registration through doa@microsoft.com. See our full announcement here.


How do I know if I should Pre-Register?

If you are submitting your own mitigation bypass idea that you invented, then you will not pre-register. Simply send it to secure@microsoft.com. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email doa@microsoft.com to get started. Please see complete program guidelines here.


Are there additional requirements for an organization to participate?

Yes, your organization will be required to complete a pre-registration process in order to participate in the program. Please email doa@microsoft.com for complete details.


Is there a difference in submission requirements?

The submission requirements are similar – Invent or find a new mitigation bypass technique and then send Proof-of-Concept exploit code and a technical whitepaper explaining the new technique in detail. For individuals submitting his or her own mitigation bypass idea that he or she invented, send to secure@microsoft.com. For individuals or organizations submitting a mitigation bypass technique that they found, they will need to pre-register at doa@microsoft.com. Please see complete program guidelines here.

 

Mitigation Bypass Bounty

 

General Q&A

What’s a mitigation bypass?

A mitigation bypass technique is designed to circumvent protections that are built in to operating systems. For example, the Return Oriented Programming (ROP) technique is used by some attackers against the DEP (Data Execution Prevention) mitigation. Multiple known and unknown vulnerabilities can be used to develop a new Mitigation Bypass technique.


What’s the Mitigation Bypass Bounty?

The Mitigation Bypass Bounty Program asks participants to submit truly novel mitigation bypass techniques that target our latest Windows platform. Qualified mitigation bypass submissions are eligible for payment of up to $100,000 USD, based on the quality and complexity of the bypass technique.


How will these techniques be addressed in Windows?

Microsoft takes this bounty program extremely seriously and looks forward to acting on the resulting research to help protect our customers as quickly and effectively as possible.


Will reported bugs that affect previous versions of Windows be fixed?

We will gladly accept reports of vulnerabilities that do not meet our bug bounty guidelines. Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at secure@microsoft.com.


Is there an age limit for participants?

Researchers 14 years of age or older may submit bypasses and defense ideas to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s permission prior to participating in this program. Please see the program guidelines here for full information on eligibility.

 
Scope

What’s in scope?

We will gladly accept and pay for validated, truly novel mitigation bypass techniques that are effective against our latest publicly available platform—as of the program’s June 26, 2013, launch date. Please see complete program guidelines here.

 

I found a vulnerability, but it doesn’t meet the guidelines. Is Microsoft still interested?

Yes! Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at secure@microsoft.com.

 

BlueHat Defense Bonus

 

General Q&A

What is the BlueHat Bonus for Defense?

The BlueHat Bonus for Defense allows security researchers to submit a technical white paper to describe a defensive idea that could effectively block a mitigation bypass technique. Qualifying defense submissions will receive up to $50,000 USD, depending on the quality and uniqueness of the defense idea.

 

Are Enhanced Mitigation Experience Toolkit (EMET) bypasses in scope?

No. Bypasses that work against the default configurations of our products are significantly more useful to attackers considering the size of the affected population. EMET has some known limitations, and is designed as a defense in depth measure to break some known exploitation techniques in common use by attackers.

 

Can I submit a defense against someone else’s mitigation bypass technique?

Yes, if the defense submission qualifies as being new and practical as defined in the guidelines, we will award up to $50,000 USD for a defense that can block existing mitigation bypasses.

 

What are the guidelines for the Mitigation Bypass Bounty and BlueHat Bonus for Defense Program?

Please see complete program guidelines here.

 

Featured Video

BlueHat Blog

Mitigation Bypass Bounty and BlueHat Bonus for Defense Program

BlueHat Archive

See past BlueHat Sessions

BlueHat v12

BlueHat v11

BlueHat v10

BlueHat v9

BlueHat v8