
Microsoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year.
Microsoft’s bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies.
The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year.
“The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude,” said members of the Microsoft Security Response Center in a blogpost.
Flaws reported to Microsoft and other vendors via bug bounties can help reduce the number of so-called zero-day exploits that attackers can use to compromise systems before a vendor supplies a security patch to block them. Providing patches to users also helps protect systems from attacks after the vulnerability has been disclosed.
Microsoft’s total annual bug-bounty payouts are now much larger than Google’s awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year’s payouts from the ad and search giant, which called it a “record-breaking year”.
Microsoft’s larger expenditure on bug-bounty payouts could be justified, according to new data released by Google’s bug hunting squad, Google Project Zero or GPZ.
GPZ this week revealed that there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year. The discovery of these exploits is rare: Microsoft patched 115 vulnerabilities in March alone. But Microsoft software made up four of the 11 exploits that Google discovered were being used in the wild in 2020.
The Microsoft flaws included the bug in Internet Explorer, CVE-2020-0674, that Microsoft patched in February. Then there were three more Windows memory-corruption bugs that were exploited before Microsoft’s patches released this year.
In 2019, according to GPZ statistics, 11 of the 20 zero-days under attack that year affected Microsoft products, which was much higher than exploited zero-days from any other vendor, including Google.
However, Google noted that there was detection bias towards Microsoft because there are more security tools specialized in detecting Windows bugs.
Microsoft says the higher total payouts this year is because it launched six new bounty programs and two new research grants. These attracted over 1,000 eligible reports from over 300 researchers.
Microsoft also suggests COVID-19 social distancing prompted an uptick in security research activity.
“Across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic,” Microsoft said.
- The Microsoft bounties that Microsoft launched during the period included:
- Microsoft Dynamics 365 Bounty Program, launched July 2019
- Azure Security Lab, launched August 2019
- Microsoft Edge on Chromium Bounty Program, launched August 2019
- Election Guard Bounty Program, launched October 2019
- Xbox Bounty Program, launched January 2020
- Azure Sphere Security Research Challenge, launched May 2020
View original article here Source
Fujifilm Instax Mini Instant Film Twin Pack (White)
$13.38 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Cord Cover Raceway Kit, 157in Cable Cover Channel, Paintable Cord Concealer System Cable Hider, Cord Wires, Hiding Wall Mount TV Powers Cords in Home Office, 10X L15.7in X W0.95in X 0.55in, White
$17.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Fire TV Stick 4K streaming device with Alexa Voice Remote | Dolby Vision | 2018 release
$49.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Wyze Cam 1080p HD Indoor WiFi Smart Home Camera with Night Vision, 2-Way Audio, Works with Alexa & the Google Assistant, White, 1-Pack
$25.98 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Power Strip, Bototek Surge Protector with 10 AC Outlets and 4 USB Charging Ports,1875W/15A, 2100 Joules, 6 Feet Long Extension Cord for Smartphone Tablets Home,Office, Hotel- Black
$26.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Just Dance 2021 - Nintendo Switch Standard Edition
$29.88 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)SUPERDANNY USB Surge Protector Power Strip Mountable Extension Cord Multiple Protection 5 Outlet 3 USB Port with Hook & Loop Fastener for iPhone iPad PC Home Office Travel Black
$16.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)All-new Blink Outdoor – wireless, weather-resistant HD security camera with two-year battery life and motion detection – 1 camera kit
$89.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Fire HD 8 Kids Edition tablet, 8" HD display, 32 GB, Blue Kid-Proof Case
$139.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)All-new Echo (4th Gen) | With premium sound, smart home hub, and Alexa | Charcoal
$99.99 (as of January 25, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Amazon Auto Links: Could not resolve the given unit type, . Please be sure to update the auto-insert definition if you have deleted the unit.