Print 19 comment(s) - last by superstition.. on Oct 11 at 11:21 PM

James Forshaw  (Source:
The same security researcher has earned the vast majority of all Microsoft payouts for bugs

Microsoft has announced that it awarded its first $100,000 bounty to a security researcher named James Forshaw. Forshaw is a security vulnerability researcher with Context Information Security and had previously found design level bugs during the IE11 Preview Bug Bounty.

Microsoft declined to go into any details about the new mitigation bypass technique Forshaw uncovered until it has addressed the attack. Microsoft says that it will be able to better protect customers by creating new defenses for future versions of its products.
Microsoft did note that one of its engineers named Thomas Garnier had also discovered a variant of this attack technique.

Despite this revelation, Microsoft says that it decided to get the full $100,000 to Forshaw. Microsoft says that it pays so much more for new attack techniques versus discovery of individual bugs because new mitigation bypass techniques allow Microsoft to develop defenses against an entire class of attack.

Microsoft said, "The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

Microsoft has paid out over $128,000 in its bug bounty programs so far. Interestingly, Forshaw has earned $109,400 of that total payout.

Sources: Technet, Seattle Times

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Arkive on 10/9/2013 12:13:43 PM , Rating: 4
Just hire the guy already Microsoft. He's practically on the payroll as it is. Imagine the bugs he could find if he was doing NOTHING but that for you.

RE: Geez...
By Spuke on 10/9/2013 12:37:29 PM , Rating: 5

RE: Geez...
By Motoman on 10/9/2013 2:03:46 PM , Rating: 5
Indeed. In fact, I bet he would Excel.

RE: Geez...
By Alexvrb on 10/9/2013 11:40:25 PM , Rating: 3
No doubt. Especially once he had Access to the source code.

RE: Geez...
By Imaginer on 10/10/2013 2:30:51 AM , Rating: 2
And, he has some good Outlook on finding computer problems.

RE: Geez...
By Motoman on 10/10/2013 10:30:17 AM , Rating: 2
At any rate, it'll be quite a Project. Let's hope the Publisher doesn't limit the final report to the FrontPage.

RE: Geez...
By kenthaman on 10/10/2013 11:27:55 AM , Rating: 2
OneNote on this topic, I wonder what the InfoPath was to discovering this new platform vulnerability.

RE: Geez...
By FraGAU on 10/11/2013 4:39:04 AM , Rating: 2
I wonder how many more will Surface.

RE: Geez...
By JazzMang on 10/11/2013 9:43:33 AM , Rating: 2
I have no doubt that his work would create FrontPage news.

RE: Geez...
By bah12 on 10/11/2013 10:53:29 AM , Rating: 2
That sure doesn't Paint a pretty picture.

RE: Geez...
By bah12 on 10/11/2013 10:54:30 AM , Rating: 2
But it sure would open a couple Windows to his soul.

RE: Geez...
By superstition on 10/11/2013 11:21:11 PM , Rating: 2
His middle name is Bob.

RE: Geez...
By inighthawki on 10/9/2013 1:38:27 PM , Rating: 2
And imagine how much more quickly he can do it with more resources such as source code access :)

RE: Geez...
By Nekrik on 10/9/2013 2:02:09 PM , Rating: 5
I would imagine they have tried, but regardless of it they have or haven't, he probably makes more collecting the pay-outs than he would on salary...

RE: Geez...
By DT_Reader on 10/9/2013 2:40:15 PM , Rating: 1
He probably notifies the NSA first, then reveals the security flaws to MS only after the NSA have fully exploited them. MS probably can't pay him enough, since Snowden has shown everyone what happens to people who cross the NSA.

RE: Geez...
By MozeeToby on 10/9/2013 4:14:22 PM , Rating: 2
I love how he's received "the vast majority" of their bug bounty payouts, 109,000 out of 125,000. But according to the source article those numbers include the 100,000 he just earned. So yeah... of course he has received the majority, he just received 4x more than the program had paid out to date.

So, saying they should just hire him... well, look at it this way. If he hadn't found the vulnerability they wouldn't have had to pay him. If he's on the payroll they're out at least 6 figures each and every year regardless of if he finds something or not.

RE: Geez...
By DominionSeraph on 10/10/2013 8:06:07 AM , Rating: 2
I know that sounds like a good idea on the surface there, Bob, but this guy seems to excel as a freelancer (as this large exchange of money can attest.)

"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki