Google, Microsoft increase bug bounties

Bug hunters, rejoice: both Google and Microsoft have announced a considerable increase of the amount they will pay out for information about bugs in their products.

Google Microsoft bug bounties

Google ups bug bounties for most severe bugs

Google has upped the rewards for “Remote Code Execution” and “Unrestricted file system or database access” to $31,337 (from $20,000) and $13,337 (from $10,000), respectively.

The “Remote Code Execution” category includes command injection flaws, deserialization bugs, sandbox escapes, and more, while the “Unrestricted file system or database access” category encompasses SQL injections and XXE (XML External Entity attack) vulnerabilities.

As security program manager Josh Armour explained, the changes were made because high severity vulnerabilities have become harder to identify over the years, and researchers are, therefore, spending more time and effort to find them.

“We want to demonstrate our appreciation for the significant time researchers dedicate to our program,” he noted.

As always, more information about the rules of the company’s vulnerability reward program (VRP) can be found here.

Microsoft temporarily doubles rewards

From March 1, 2017 to May 1, 2017, rewards for vulnerabilities in Exchange Online and Office 365 Admin Portal will be doubled, the MSRC Team announced.

“These properties are core web applications in the Office 365 suite,” they explained. “Securing Exchange Online, Microsoft’s hosted enterprise e-mail solution, is vital to customer security as it is the gateway to accessing critical user information such as email, calendars, contacts and tasks for any endpoint device. Office 365 admin portal is the web management interface for managing tenant access. This portal is an important piece in protecting tenants and tenant admins from compromise.”

The importance of the security of these properties has never been in question, but the company did not clarify the specific reason behind this temporary change.

In any case, bug hunters who have until now avoided concentrating on Microsoft assets can find all the information the need to start here.

Source: Help Net Security – News @ March 6, 2017 at 03:51AM

0
Share