A mitigation bypass technique is designed to circumvent protections that are built in to operating systems. For example, the Return Oriented Programming (ROP) technique is used by some attackers against built-in DEP (Data Execution Prevention) mitigations. The BlueHat Prize contest uncovered various effective barriers to the ROP technique. (ROP is a known technique, so it would not qualify as an eligible submission to the Mitigation Bypass Program because we are seeking novel exploitation techniques.)

The Mitigation Bypass Bounty Program asks participants to submit truly novel mitigation bypass techniques that target our latest Windows platform (Windows 8.1 Preview). Qualified mitigation bypass submissions are eligible for payment of $100,000 USD, based on the quality and complexity of the bypass technique and optional defense idea.

The Mitigation Bypass Bounty program will run indefinitely, at Microsoft’s discretion.

Microsoft takes this bounty program extremely seriously and looks forward to acting on the resulting research to help protect our customers as quickly and effectively as possible.

Download the latest version of Windows here.

Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and structured exception handler overwrite protection (SEHOP) are just three of the many useful mitigations available in modern computing.

We will gladly accept reports of vulnerabilities that do not meet our bug bounty guidelines. Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at [email protected].

Researchers 14 years of age or older may submit bypasses and defense ideas to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s permission prior to participating in this program. Please see the program guidelines for full information on eligibility.

Yes. If you are eligible for this program but are considered a minor in your place of residence, we may award the bounty payment to your parent/legal guardian on your behalf.

We will gladly accept and pay for validated, truly novel mitigation-bypass techniques that are effective against our latest publicly available platform—as of the program’s June 26, 2013, launch date, Windows 8.1 Preview. Please see our guidelines for complete details on technical requirements.

Yes! Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at [email protected].

The BlueHat Bonus for Defense allows Mitigation Bypass program participants to also submit a technical white paper to describe a defensive idea that could effectively block the exploitation technique they have submitted. Qualifying defense submissions will receive an additional bonus of up to $50,000 USD, depending on the quality and uniqueness of the defense idea.

The BlueHat Bonus for Defense Program is the logical continuation of the 2011–12 standalone BlueHat Prize contest; both seek defensive solutions to significant exploitation techniques. All three winning entries in the BlueHat Prize Contest concerned defenses against Return Oriented Programming (ROP), a well-known mitigation-bypass technique.

The BlueHat Prize Contest, which was awarded in July 2012, was a wonderful success. We received more than 20 qualified entries and were able to incorporate one of the winning defense ideas into the Enhanced Mitigation Experience Toolkit (EMET) 3.5 Technology Preview, the then-current version of our free tool.

We will not turn away any interesting defense ideas; however, not all of them will qualify for BlueHat Bonus for Defense payment. We encourage researchers who have defenses against someone else’s technique to contact us at [email protected].

Please see the program guidelines for complete details.

Microsoft will pay up to $11,000 USD for critical-class vulnerabilities that affect Internet Explorer 11 Preview on our latest version of Windows (Windows 8.1 Preview). This limited-duration bounty program will run for the first 30 days of the Internet Explorer 11 Preview period.

We’ll evaluate the reports we receive and work to incorporate appropriate changes into Internet Explorer to help protect and cause the least disruption to our customers.

After evaluating other bounty programs from vendors and brokers, we believe that starting with a Preview-period bounty on a specific, high-profile product suits Microsoft’s development process and fills a gap in the existing vulnerability marketplace. Addressing these issues prior to release also causes the least disruption to our customers.

Yes, the Internet Explorer 11 Preview is a beta (pre-release) version of the browser. The Windows 8.1 Preview is a beta (pre-release) version of the operating system.

We are excited to announce the Internet Explorer 11 Preview Bug Bounty program as well as the Mitigation Bypass Bounty and the BlueHat Bonus for Defense Program. We’ll evaluate and determine our next evolution of programs that bring the security research and Microsoft communities together to help keep customers safe.

Each entry submitted as part of our bounty programs will be evaluated solely on its own merits and paid in accordance with that program’s guidelines. There is no “winner” for a bounty program, except, of course, Microsoft customers, who will benefit from stronger defenses.

Former Microsoft employees—even those who were previously members of the Internet Explorer team—may participate.

Researchers 14 years of age or older may submit vulnerabilities to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s permission prior to participating in this program. Please see the program guidelines for full information on eligibility.

Yes. If you are eligible for this program but are considered a minor in your place of residence, we may award the bounty payment to your parent/legal guardian on your behalf.

Privacy has long been a priority in Internet Explorer—we offer a wide range of controls that help people better manage their privacy online. By accepting security bugs with privacy implications in this inventive program, we help further our longstanding commitment to this fundamental component.

Anyone submitting a bounty entry should be able to attest that they are legally permitted to participate, as stated in our guidelines.

In the event two parties enter similar, eligible submissions, Microsoft will consider the time, date, quality, and complexity of the entries as the deciding factors for eligibility of payment.

Bounty payouts are taxable income. Participating researchers receiving bounties will also receive the appropriate tax documentation, which is the sole responsibility of the submitter or legal guardian to return to Microsoft.

We plan to acknowledge researchers who submit a valid issue through our bounty programs on our website. Researchers may request to remain anonymous, and we will abide by that request; however, we must obtain basic identifying information in order to properly award bounties.

The bounty period for Internet Explorer 11 Preview starts on June 26, 2013, and ends July 26, 2013, so that we have some Preview time remaining to evaluate and address submitted issues.

We will gladly accept and pay for validated security issues found in Internet Explorer 11 Preview, running on Windows 8.1 Preview. Please see our guidelines for complete details on technical requirements.

Yes! Please submit all other vulnerabilities, following our Coordinated Vulnerability Disclosure practices, by emailing us at [email protected].

We do not have bounty programs other than the Internet Explorer 11 Preview Bug Bounty, Mitigation Bypass Bounty, and BlueHat Bonus for Defense programs to announce at this time. We will evaluate how bounties may fit into the wider world of Microsoft to help keep customers safe.

The Internet Explorer 11 Preview Bug Bounty Program is scoped to Internet Explorer 11 Preview, running on Windows 8.1 Preview. We encourage those interested in Windows 8.1 to explore the Mitigation Bypass Bounty Program for additional opportunities.

We are debuting our new bounty program during the Preview period of Internet Explorer 11 because this gives us the opportunity to address the greatest number of issues with the least impact to our customers. In addition, most bounty programs don’t offer payment for products in beta, so we’re pleased to address that gap in the marketplace.

Please see the program guidelines for complete details.

Download the latest version of Internet Explorer from here.