Mitigation Bypass and Bounty for Defense Terms
Microsoft is pleased to announce the launch of the Microsoft Mitigation Bypass Bounty and Bounty for Defense Program beginning June 26, 2013. Through this program, individuals across the globe have the opportunity to submit a novel mitigation bypass against our latest Windows platform, and are also invited to submit a defense idea that would block an exploitation technique that currently bypasses the latest platform mitigations. Under this program, qualified mitigation bypass submissions are eligible for payment of up to $100,000 USD and qualified defensive techniques are eligible for a bounty of up to $100,000, for a total of up to $200,000 USD. All bounties will be paid out at Microsoft’s discretion.
If you are submitting a new mitigation bypass technique that you have found in an active attack, please note that that we have a similar but separate program for you, and the terms appearing here are aimed at individuals submitting their own idea for a new mitigation bypass technique.
If you are submitting your own idea, please read the full terms below and then send your entry for consideration to
email@example.com. If you are submitting a technique you found in use in an active attack, you must first pre-register with us by emailing us at
firstname.lastname@example.org for further details.
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION FOR MITIGATION BYPASS?
Eligible bypass submissions will include a white paper or a brief document explaining the exploitation method and target one of the following scenarios:
- A novel method of exploiting a real Remote Code Execution (RCE) vulnerability. A real RCE vulnerability is understood to be an RCE that exists in a Microsoft application which may or may not have already been addressed through a security update.
- A vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor, escape from a guest virtual machine to the host, or escape from one guest virtual machine to another guest virtual machine. Vulnerabilities that rely on an attacker having full control of a guest or that rely on a malicious operating system running in a guest are considered in scope.
- A novel method of bypassing a mitigation imposed by a user mode sandbox. For example, this could include a technique that can bypass symbolic link restrictions imposed by a sandbox or other novel logic issues that enable an attacker to escape the sandbox and elevate privileges.
Eligible bypass submissions are permitted to make use of known methods of exploitation in their exploit and whitepaper, but a novel exploitation method must be an integral and required component of enabling reliable remote code execution. Submissions must clearly distinguish the novel aspects of the exploitation method being described.
Eligible product versions for Microsoft Hyper-V include Windows Server 2012 R2, the latest available Windows Server 2016 Technical Preview, Windows 10, and the latest available Windows 10 Insider Preview build. Hardware and firmware issues are not in scope at this time.
Eligible bypass submissions must be capable of exploiting a user mode application that makes use of all the latest mitigations supported by the Windows platform which includes:
- Stack corruption mitigations (/GS, SEHOP, and SafeSEH)
- Heap corruption mitigations (metadata integrity checks)
- Code execution mitigations (DEP, ASLR, and CFG)
Eligible bypass submissions must demonstrate and describe an exploitation method that meets the following criteria:
- Generic: RCE exploitation methods must be applicable to one or more common memory corruption vulnerability classes.
- Reliable: it must have a low probability of failure.
- Reasonable: it must have reasonable requirements and pre-requisites.
- Impactful: it must be applicable to high risk application domains (browsers, document readers, etc).
- User Mode: RCE exploitation methods must be applicable to user mode applications.
- Latest Version: it must be applicable to the latest version of our products on the date the entry is submitted.
- Novel: it must be a novel and distinct method that is not known to Microsoft and has not been described in prior works.
All qualified submissions are eligible to receive up to $100,000 USD. Submissions with a proof of concept, functioning exploit, detailed write up and/or a whitepaper will be eligible for higher rewards.
The payment levels for eligible Hyper-V submissions will be based upon the following:
- We will pay up to $100,000 for qualifying submissions that are in default components.
- We will pay up to $15,000 for qualifying submissions that are in non-default components.
WHAT CONSTITUTES AN ELIGIBLE BOUNTY FOR DEFENSE SUBMISSION?
Bounty for Defense submissions (“defense submissions”) provided to Microsoft must meet the following criteria to be eligible under this program:
Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses either the latest platform mitigations or a defensive submission that blocks exploits that is not in the latest platform.
Qualified defense submissions are eligible to receive bonus of up to $100,000 USD, depending on the quality and uniqueness of the defense idea.
We reserve the right to reject any submission that we determine, in our sole discretion, does not meet the above criteria.
Background and descriptions on Windows platform mitigations can be found in the whitepaper on
Mitigating Software Vulnerabilities.
HOW DO I PROVIDE MY SUBMISSION?
Send your complete submission to Microsoft at
email@example.com using the bug submission guidelines found
here. We request you follow
Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We are not responsible for submissions that we do not receive for any reason. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.
If you provide us with an otherwise eligible submission, but do not follow
Coordinated Vulnerability Disclosure—for example, by publishing the vulnerability when or before you submit it under this program—then Microsoft may deem your submission to be ineligible under this program. We may also bar you from receiving compensation under future Microsoft Bounty programs.
If a company or an organization wants to participate in the Microsoft Bounty Program, they must pre-register with us before turning in a submission by emailing us at
firstname.lastname@example.org. After you preregister and sign an agreement, then we’ll accept an entry of technical write-up and proof of concept code for bounty consideration.
AM I ELIGIBLE TO PARTICIPATE?
You are eligible to participate in this program if:
- You are 14 years of age or older. If you are at least 14 years old, but are considered a minor in your place of residence, you need to ask your parent’s or legal guardian’s permission prior to participating in this program.
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this program.
- You do not fall under any of the ineligibility criteria listed below under “WHO IS NOT ELIGIBLE TO PARTICIPATE?”
WHO IS NOT ELIGIBLE TO PARTICIPATE?
You are not eligible to participate if you meet any one or more of the following ineligibility criteria:
- You are a resident of any of countries under U.S. sanctions, such as Cuba, Iran, North Korea, Sudan, Syria and regions of Crimea;
- You are currently an employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
- Within the six months prior to your submission you were an employee of Microsoft Corporation or a Microsoft subsidiary.
- You currently perform services for Microsoft or a Microsoft subsidiary in an external staff capacity that requires access to the Microsoft Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor;
- Within six months prior to your submission you performed services for Microsoft or a Microsoft subsidiary in an external staff capacity that required access to the Microsoft Corporate Network, such as agency temporary worker, vendor employees, business guest, or contractor; or
- You are involved in any part of the administration and/or execution of this program.
The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission. If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.
WHAT CONFIDENTIALITY OBLIGATIONS DO I TAKE ON BY PROVIDING MY SUBMISSION?
If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Microsoft makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.
I’VE SENT MY SUBMISSION. NOW WHAT?
- You will receive an email message stating that we have received your submission.
- Our engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.
- After your submission has been validated, you will be contacted to provide the necessary paperwork to process your payment.
- You will complete tax documentation paperwork. After we receive that paperwork and confirm that you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty.
Bounties will be paid out at Microsoft’s discretion. Microsoft retains sole discretion in determining which submissions are qualified. There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for.
In the event of a submission submitted by more than one party, if each are eligible submissions, Microsoft will consider not only time and date of submission, but also quality and complexity to be the deciding factor for eligibility of payment of the bounty.
All individuals who have been awarded bounties will additionally be recognized on our
Bounty Honor Roll page.
It is your responsibility to comply with any policies your employer may have that would impact your eligibility to participate in the bug bounty programs. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving bounty payment(s). Government employees are required to provide a letter from their employer’s ethics compliance officer confirming their ability to participate in this program. All payments will be compliant with local laws, regulations and ethics rules. Microsoft disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
If we determine that your submission is qualified, Microsoft will notify you by sending a reply to your email submission. If the notification that we send is returned as undeliverable, or you are otherwise unreachable for any reason, we may not provide payment.
If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the e-mail address used to enter the program. Before receiving a bounty payment, you are required to sign an Affidavit of Eligibility (a formal statement verifying your personal information), a Liability/Publicity Release (which provides permission for Microsoft to use your name and likeness without pursuing future claims), a W-9 tax form or W-8 BEN tax form within 30 calendar days of notification of validation. If you wish to remain anonymous to the public, we will honor your request, but we must know your legal name in order to pay you. If your submission is qualified and you are 14 or older, but are considered a minor in your place of legal residence, we may require your parent or legal guardian to sign all required forms on your behalf. If you do not complete the required forms as instructed or return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until we have received the fully executed required documentation.
If your submission is qualified, please note:
- You may not designate someone else as the bounty recipient unless you are considered a minor in your place of residence;
- If you are unable or unwilling to accept your bounty, we reserve the right to rescind it;
- If you accept a bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s); and
- If you are eligible for this program but are considered a minor in your place of residence, we may award the bounty payment to your parent/legal guardian on your behalf.
- Microsoft is not claiming any ownership rights to your submission. However, by providing your submission to Microsoft, you:
- Are agreeing to license intellectual property rights in your submission to Microsoft (please be sure to read and accept these terms before sending us your submission) which includes an irrevocable, perpetual, royalty-free, worldwide, unlimited, nonexclusive, sub-licensable, unrestricted right and license to: (i) use, review, assess, test and otherwise analyze your submission, to reproduce, modify, distribute, display and perform publically, commercialize and create derivative works of your entry and all its content, in whole or in part, in connection with this program; and (ii) feature your submission and all content in connection with the marketing, sale, or promotion of this program (including but not limited to internal and external sales meetings, conference presentations, tradeshows, and screen shots of the submission in press releases) in all media (now known or later developed);
- Agree to sign any necessary documentation that may be required for us and our designees to make use of the rights you granted above;
- Understand and acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission, and you waive any claims you may have resulting from any similarities to your submission;
- Understand that you qualify for a one-time payment per eligible submission and are not guaranteed any additional compensation or credit for use of your submission; and
- Represent that your submission is your own work and you haven’t used information owned by another person or entity.
- Please note that during this program, your submission may be posted on a website selected by us for viewing by visitors to that website. We are not responsible for any unauthorized use of your submission by visitors to this website. While we reserve these rights, we are not obligated to use your submission for any purpose, even if we have deemed it to be a qualified submission.
This program is hosted in the United States, and submissions are collected on computers in the United States. This program will be governed by the laws of the State of Washington, and you consent to the exclusive jurisdiction and venue of the courts of the State of Washington for any disputes arising out of this program.
Microsoft thanks you for your participation.