Microsoft breaks bug-bounty virginity in $100,000 contest

http://www.theregister.co.uk/2013/06/19/microsoft_bug_bounty_black_hat/

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it.

At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las Vegas at that time of year – Microsoft will offer $100,000 (and a laptop) to the hacker who can demonstrate a critical vulnerability in Windows 8.1, either at the conference or afterwards.

Any successful hacker can earn an additional $50,000 "BlueHat Bonus" if they can tell Redmond how to fix a major flaw in the operating system. In addition, there's an $11,000 bounty on Internet Explorer 11 Preview Edition vulnerabilities – but with a 30 day time limit – presumably so that any new problems can be fixed in time for the final release.

The market for software vulnerabilities is a contentious issue. Proponents point out that cash payouts are the only way for independent security researchers to make a living and that the resulting disclosures have immense benefits for end users. Opponents suggest that hackers should disclose responsibly as a matter of morality. Meanwhile, there's a thriving black market for software flaws, especially zero-day vulnerabilities.