Skip to main content

Mitigation Bypass and Bounty for Defense Terms

PROGRAM DESCRIPTION

Microsoft is pleased to announce the launch of the Microsoft Mitigation Bypass Bounty and Bounty for Defense Program beginning June 26, 2013. Through this program, individuals across the globe have the opportunity to submit a novel mitigation bypass against our latest Windows platform, and are also invited to submit a defense idea that would block an exploitation technique that currently bypasses the latest platform mitigations. Under this program, qualified mitigation bypass submissions are eligible for payment of up to $100,000 USD and qualified defensive techniques are eligible for a bounty of up to $100,000, for a total of up to $200,000 USD. All bounties will be paid out at Microsoft’s discretion.

If you are submitting a new mitigation bypass technique that you have found in an active attack, please note that that we have a similar but separate program for you, and the terms appearing here are aimed at individuals submitting their own idea for a new mitigation bypass technique.

If you are submitting your own idea, please read the full terms below and then send your entry for consideration to secure@microsoft.com. If you are submitting a technique you found in use in an active attack, you must first pre-register with us by emailing us at bounty@microsoft.com and secure@microsoft.com for further details.



WHAT CONSTITUTES AN ELIGIBLE SUBMISSION FOR MITIGATION BYPASS?

Eligible bypass submissions will include a white paper or a brief document explaining the exploitation method and target one of the following scenarios:

  • A novel method of exploiting a real Remote Code Execution (RCE) vulnerability. A real RCE vulnerability is understood to be an RCE that exists in a Microsoft application which may or may not have already been addressed through a security update.
  • A vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor, escape from a guest virtual machine to the host, or escape from one guest virtual machine to another guest virtual machine. Vulnerabilities that rely on an attacker having full control of a guest or that rely on a malicious operating system running in a guest are considered in scope.
  • A novel method of bypassing a mitigation imposed by a user mode sandbox. For example, this could include a technique that can bypass symbolic link restrictions imposed by a sandbox or other novel logic issues that enable an attacker to escape the sandbox and elevate privileges.

Eligible bypass submissions are permitted to make use of known methods of exploitation in their exploit and whitepaper, but a novel exploitation method must be an integral and required component of enabling reliable remote code execution. Submissions must clearly distinguish the novel aspects of the exploitation method being described.

Eligible product versions for Microsoft Hyper-V include Windows Server 2012 R2, the latest available Windows Server 2016, Windows 10, and the latest available Windows 10 Insider Preview build. Hardware and firmware issues are not in scope at this time.

The vulnerability must both be submitted on and reproduce on the recent Windows 10 Insider Preview slow ring (WIP slow) in order to qualify for a bounty.

  • If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission, then the submission is ineligible

Eligible bypass submissions must be capable of exploiting a user mode application that makes use of all the latest mitigations supported by the Windows platform. Please refer to the section on MITIGATION BYPASS SCOPE for more information on what is considered in scope and out of scope for mitigation bypass submissions.

Eligible bypass submissions must demonstrate and describe an exploitation method that meets the following criteria:

  • Generic: RCE exploitation methods must be applicable to one or more common memory corruption vulnerability classes.
  • Reliable: it must have a low probability of failure.
  • Reasonable: it must have reasonable requirements and pre-requisites.
  • Impactful: it must be applicable to high risk application domains (browsers, document readers, etc).
  • User Mode: RCE exploitation methods must be applicable to user mode applications.
  • Latest Version: it must be applicable to the latest version of our products on the date the entry is submitted.
  • Novel: it must be a novel and distinct method that is not known to Microsoft and has not been described in prior works.

All qualified submissions are eligible to receive up to $100,000 USD. Submissions with a proof of concept, functioning exploit, detailed write up and/or a whitepaper will be eligible for higher rewards.

The payment levels for eligible Hyper-V submissions will be based upon the following:

  • We will pay up to $100,000 for qualifying submissions that are in default components.
  • We will pay up to $15,000 for qualifying submissions that are in non-default components.


WHAT CONSTITUTES AN ELIGIBLE BOUNTY FOR DEFENSE SUBMISSION?

Bounty for Defense submissions (“defense submissions”) provided to Microsoft must meet the following criteria to be eligible under this program:

Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses either the latest platform mitigations or a defensive submission that blocks exploits that is not in the latest platform.
Qualified defense submissions are eligible to receive bonus of up to $100,000 USD, depending on the quality and uniqueness of the defense idea.
We reserve the right to reject any submission that we determine, in our sole discretion, does not meet the above criteria.
Background and descriptions on Windows platform mitigations can be found in the whitepaper on Mitigating Software Vulnerabilities.

MITIGATION BYPASS SCOPE

The following table provides a list of the user mode mitigations that are explicitly in scope and the definition of the techniques that are in scope and out of scope for each mitigation.Submissions that leverage other novel exploitation techniques that are not considered out of scope and are not listed below may still qualify for a bounty.

This scope is subject to change at any time.

MitigationIn scopeOut of scope
Return Flow Guard
(RFG)
Techniques that make it possible
to gain control of the
instruction pointer through corruption
of a return address in
a process that has enabled RFG
  • Non-instrumented returns
  • Leveraging non-RFG images
Control Flow Guard
(CFG)
Techniques that make it possible
to gain control of the instruction
pointer through an indirect
call in a process that
has enabled CFG.
  • Hijacking control flow via
    return address corruption
  • Bypasses related to limitations
    of coarse-grained CFI
    (e.g. calling functions out of context)
  • Leveraging non-CFG images
Arbitrary Code Guard
(ACG)
Techniques that make it possible
to dynamically generate or
modify code in a process that
has enabled the ProcessDynamicCodePolicy
(ProhibitDynamicCode = 1).
  • Bypasses that rely on
    thread opt out being enabled
    (AllowThreadOptOut = 1).
Code Integrity Guard
(CIG)
Techniques that make it possible
to load an improperly signed
binary into a process that has
enabled code signing restrictions
(e.g. ProcessSignaturePolicy).
  • In-memory injection
    of unsigned image code
    pages)
Child Process PolicyTechniques that make it possible
to spawn a child process from
a process that has restricted
child process creation (via the child process policy).
 
Address Space Layout
Randomization (ASLR)
Techniques that make it possible
to generically bypass ASLR
in 64-bit applications that
enable High Entropy ASLR
and Force Relocate Images.
  • Individual vulnerabilities
    that enable address space
    information disclosure
  • Address inference via
    GC
  • 32-bit ASLR bypasses
Data Execution
Prevention (DEP)
Techniques that make it possible
to execute code from non-executable
memory in a process that has
enabled DEP (always on).
  • Reuse of already executable code
SEHOP/SafeSEHTechniques that can be used to
hijack control-flow by corrupting
an SEH registration record in
a process/image that enables
SEHOP and SafeSEH.
  • Techniques that assume
    knowledge of where a
    stack is located
  • Techniques that rely on
    non-SafeSEH images
Heap randomization &
metadata protection
Techniques that can be used
to achieve reliable metadata
corruption or user data corruption.
 

BOUNTY PROGRAM FREQUENTLY ASKED QUESTIONS AND PROGRAM REQUIREMENTS

It is your responsibility to comply with the Microsoft Bounty Program – Comprehensive Terms listed in the FAQ. Please see the Microsoft Bounty Program FAQ to get detailed instructions on:

  1. Reporting bugs to Microsoft
  2. Microsoft’s triage and payment process
  3. Eligibility criteria for participation
  4. Bounty payment policies
  5. Your confidentiality obligations
  6. Microsoft’s privacy statement and legal notice
  7. Other questions on the various Microsoft bounty programs
  8. Coordinate Vulnerability Disclosure

PRIVACY STATEMENT

Please see the privacy statement regarding this program.

LEGAL NOTICE:

To get additional information on the Microsoft legal guidelines please go to the FAQ and scroll to 'Legal Notice'

Thank you for participating in the Microsoft Bug Bounty Program!

MSRC Blog

SRD Blog