Microsoft Bounty Program Guidelines Contents MITIGATION BYPASS BOUNTY AND BLUEHAT BONUS FOR DEFENSE PROGRAM................................................................... 2 PROGRAM DESCRIPTION ................................................................................................................................................................. 2 AM I ELIGIBLE TO PARTICIPATE? ..................................................................................................................................................... 2 WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? .......................................................................................................................... 2 WHAT CONSTITUTES AN ELIGIBLE BLUEHAT BONUS FOR DEFENSE SUBMISSION? .................................................................... 3 DEFINITIONS..................................................................................................................................................................................... 3 HOW DO I PROVIDE MY SUBMISSION? .......................................................................................................................................... 3 /͛s^Ed/EDz^hD/^^/KE͕EKtt,d͍ ................................................................................................................................ 3 BOUNTY PAYMENTS ........................................................................................................................................................................ 3 LEGAL NOTICE .................................................................................................................................................................................. 3 WHO IS NOT ELIGIBLE TO PARTICIPATE? ....................................................................................................................................... 4 INTERNET EXPLORER 11 PREVIEW BUG BOUNTY PROGRAM..................................................................................................... 5 PROGRAM DESCRIPTION ................................................................................................................................................................. 5 AM I ELIGIBLE TO PARTICIPATE? ..................................................................................................................................................... 5 WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? .......................................................................................................................... 5 HOW DO I PROVIDE MY SUBMISSION? .......................................................................................................................................... 6 /͛s^Ed/EDz^hD/^^/KE͕EKtt,d͍ ................................................................................................................................ 6 BOUNTY PAYMENTS ........................................................................................................................................................................ 6 LEGAL NOTICE .................................................................................................................................................................................. 7 WHO IS NOT ELIGIBLE TO PARTICIPATE? ....................................................................................................................................... 8 6/16/2013 12:37 PM Mitigation Bypass Bounty and BlueHat Bonus for Defense Program PROGRAM DESCRIPTION: Microsoft is pleased to announce the launch of the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense Program beginning June 28, 2013. Through this program, individuals across the globe have the opportunity to submit a novel mitigation bypass against our latest Windows platform, and are optionally invited to submit a defense idea that would block an exploitation technique that currently bypasses the latest platform mitigations. Under this program, qualified mitigation bypass submissions are eligible for payment of $100,000 USD, with a bonus of up to $50,000 USD for defense submissions. Bounties will be paid out at MicrosoĨƚ͛ƐĚŝƐĐƌĞƚŝŽŶ. ^KhEKK>͍ZKE͙ AM I ELIGIBLE TO PARTICIPATE? You are eligible to participate in this program if: x you are 14 years of age or older. If you are at least 14 years old, but are considered a minor in your place of residence, you need to ĂƐŬLJŽƵƌƉĂƌĞŶƚ͛ƐŽƌůĞŐĂůŐƵĂƌĚŝĂŶ͛ƐƉĞƌŵŝƐƐŝŽŶƉƌŝŽƌƚŽparticipating in this program. x you are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate͘zŽƵĂƌĞƌĞƐƉŽŶƐŝďůĞĨŽƌƌĞǀŝĞǁŝŶŐLJŽƵƌĞŵƉůŽLJĞƌ͛ƐƌƵůĞƐĨŽƌƉĂƌƚŝĐŝƉĂƚŝŶŐŝŶƚŚŝƐ program. See below for a list of those who are not eligible to participate. WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? Mitigation bypass ƐƵďŵŝƐƐŝŽŶƐ;͞bypass ƐƵďŵŝƐƐŝŽŶƐ͟ͿƉƌŽǀŝĚĞĚƚŽDŝĐƌŽƐŽĨƚŽƌƉŽƌĂƚŝŽŶ;͞DŝĐƌŽƐŽĨƚ͕͟͞ǁĞ͕͟͞ŽƵƌ͟ͿǁŝůůďĞ eligible for payment if they meet the following criteria: Eligible bypass submissions will include an exploit that demonstrates a novel method of exploiting a real Remote Code Execution (RCE) vulnerability and a whitepaper explaining the exploitation method. Eligible bypass submissions are permitted to make use of known methods of exploitation in their exploit and whitepaper, but a novel exploitation method must be an integral and required component of enabling reliable remote code execution. Submissions must clearly distinguish the novel aspects of the exploitation method being described. Eligible bypass submissions must be capable of exploiting a user mode application that makes use of all the latest mitigations supported by the Windows platform which includes: x Stack corruption mitigations (/GS, SEHOP, and SafeSEH) x x Heap corruption mitigations (metadata integrity checks) Code execution mitigations (DEP and ASLR) Eligible bypass submissions must demonstrate and describe an exploitation method that meets the following criteria: x Generic: it must be applicable to one or more common memory corruption vulnerability classes. x Reliable: it must have a low probability of failure. x Reasonable: it must have reasonable requirements and pre-‐requisites. x Impactful: it must be applicable to high risk application domains (browsers, document readers, etc). x User Mode: it must be applicable to user mode applications. x Latest Version: it must be applicable to the latest version of our products on the date the entry is submitted. x Novel: it must be a novel and distinct method that is not known to Microsoft and has not been described in prior works. Qualified bypass submissions are eligible to receive $100,000 USD. 6/16/2013 12:37 PM WHAT CONSTITUTES AN ELIGIBLE BLUEHAT BONUS FOR DEFENSE SUBMISSION? ůƵĞ,ĂƚŽŶƵƐĨŽƌĞĨĞŶƐĞƐƵďŵŝƐƐŝŽŶƐ;͞ĚĞĨĞŶƐĞƐƵďŵŝƐƐŝŽŶƐ͟ͿƉƌŽǀŝĚĞĚƚŽDŝĐƌŽƐŽĨƚmust meet the following criteria to be eligible under this program: Eligible defense submissions will include a technical whitepaper to describe the defense idea that could effectively block an exploitation technique that currently bypasses the latest platform mitigations. Qualified defense submissions are eligible to receive bonus of up to $50,000 USD, depending on the quality and uniqueness of the defense idea. We reserve the right to reject any submission that we determine, in our sole discretion, does not meet the above criteria. DEFINITIONS: Background and descriptions on Windows platform mitigations can be found in the whitepaper on Mitigating Software Vulnerabilities. HOW DO I PROVIDE MY SUBMISSION? Send your complete submission to Microsoft at [email protected]. We are not responsible for submissions that we do not receive for any reason, or for submissions that we receive but are incomplete, or indecipherable. /͛s^Ed/EDz^hD/^^/KE͕EKtt,d͍ x You will receive an email stating that we have received your submission. x Our engineers will review the submission and validate its eligibility. The duration of review time will vary depending on the complexity and completeness of your submission, as well as number of submissions we receive. x Upon validation, you will be contacted to provide the necessary paperwork to keep our legal team at bay. x After receiving that paperwork and confirming that you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty! BOUNTY PAYMENTS: ŽƵŶƚŝĞƐǁŝůůďĞƉĂŝĚŽƵƚĂƚDŝĐƌŽƐŽĨƚ͛ƐĚŝƐĐƌĞƚŝŽŶ. Microsoft retains sole discretion in determining which submissions are qualified. There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for. In the event of a submission submitted by more than one party, if each are eligible submissions, Microsoft will consider not only time and date of submission, but also quality and complexity to be the deciding factor for eligibility of payment of the bounty. LEGAL NOTICE: It is your responsibility to comply with any polices your employer may have that would impact your eligibility to participate in the bug bounty programs. /ĨLJŽƵĂƌĞƉĂƌƚŝĐŝƉĂƚŝŶŐŝŶǀŝŽůĂƚŝŽŶŽĨLJŽƵƌĞŵƉůŽLJĞƌ͛ƐƉŽůŝĐŝĞƐ͕LJŽƵŵĂLJďĞĚŝƐƋƵĂůŝĨŝĞĚĨƌŽŵ participating or receiving bounty payment(s). Government employees are required to provide a letter from their ĞŵƉůŽLJĞƌ͛Ɛ ethics compliance officer confirming their ability to participate in this program. All payments will be compliant with local laws, regulations and ethics rules. Microsoft disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter. If we determine that your submission is qualified, Microsoft will notify you by sending a reply to your email submission. If the notification that we send is returned as undeliverable, or you are otherwise unreachable for any reason, we may not provide payment. If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the e-‐mail address used to enter the program. Before receiving a bounty payment, you are required to sign an Affidavit of Eligibility (a formal statement verifying your personal information), a Liability/Publicity Release (which provides permission for Microsoft to use your name and likeness without pursuing future claims), a W-‐9 tax form or W-‐8 BEN tax form 6/16/2013 12:37 PM within 30 calendar days of notification of validation. If you wish to remain anonymous to the public, we will honor your request, but we must know your legal name in order to pay you. If your submission is qualified and you are 14 or older, but are considered a minor in your place of legal residence, we may require your parent or legal guardian to sign all required forms on your behalf. If you do not complete the required forms as instructed or return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until we have received the fully executed required documentation. If your submission is qualified, please note: x you may not designate someone else as the bounty recipient unless you are considered a minor in your place of residence; x if you are unable or unwilling to accept your bounty, we reserve the right to rescind it; x if you accept a bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s); and x if you are eligible for this program but are considered a minor in your place of residence, we may award the bounty payment to your parent/legal guardian on your behalf. Microsoft is not claiming any ownership rights to your submission. However, by providing your submission to Microsoft, you: x are agreeing to license intellectual property rights in your submission to Microsoft (please be sure to read and accept these terms before sending us your submission) which includes an irrevocable, perpetual, royalty-‐free, worldwide, unlimited, nonexclusive, sub-‐licensable, unrestricted right and license to: (i) use, review, assess, test and otherwise analyze your submission, to reproduce, modify, distribute, display and perform publically, commercialize and create derivative works of your entry and all its content, in whole or in part, in connection with this program; and (ii) feature your submission and all content in connection with the marketing, sale, or promotion of this program (including but not limited to internal and external sales meetings, conference presentations, tradeshows, and screen shots of the submission in press releases) in all media (now known or later developed); x agree to sign any necessary documentation that may be required for us and our designees to make use of the rights you granted above; x understand and acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission, and you waive any claims you may have resulting from any similarities to your submission; x understand that you qualify for a one-‐time payment per eligible submission and are not guaranteed any additional compensation or credit for use of your submission; and x ƌĞƉƌĞƐĞŶƚƚŚĂƚLJŽƵƌƐƵďŵŝƐƐŝŽŶŝƐLJŽƵƌŽǁŶǁŽƌŬĂŶĚLJŽƵŚĂǀĞŶ͛ƚƵƐĞĚŝŶĨŽƌŵĂƚŝŽŶŽǁned by another person or entity. Please note that during this program, your submission may be posted on a website selected by us for viewing by visitors to that website. We are not responsible for any unauthorized use of your submission by visitors to this website. While we reserve these rights, we are not obligated to use your submission for any purpose, even if we have deemed it to be a qualified submission. This program is hosted in the United States, and submissions are collected on computers in the United States. This program will be governed by the laws of the State of Washington, and you consent to the exclusive jurisdiction and venue of the courts of the State of Washington for any disputes arising out of this Program. WHO IS NOT ELIGIBLE TO PARTICIPATE? x A resident of any of countries under U.S. sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria; x a current employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee; x a contingent staff member or vendor employee currently working with Microsoft; or x a person involved in any part of the administration and execution of this program. The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. If you do not agree with these terms please do not participate in this program. Microsoft thanks you for your participation. 6/16/2013 12:37 PM Internet Explorer 11 Preview Bug Bounty Program PROGRAM DESCRIPTION: Microsoft is pleased to announce the launch of the Microsoft Internet Explorer (IE) 11 Preview Bug Bounty Program beginning June 26, 2013 and ending July 26, 2013. For thirty days, individuals across the globe have the opportunity to ƐƵďŵŝƚǀƵůŶĞƌĂďŝůŝƚŝĞƐĨŽƵŶĚŝŶDŝĐƌŽƐŽĨƚ͛ƐIE 11 Preview on our latest Windows platform. Qualified submissions are eligible ĨŽƌƉĂLJŵĞŶƚĨƌŽŵĂŵŝŶŝŵƵŵŽĨΨϱϬϬh^ƚŽΨϭϭ͕ϬϬϬh^͕ĂŶĚďŽƵŶƚŝĞƐǁŝůůďĞƉĂŝĚŽƵƚĂƚDŝĐƌŽƐŽĨƚ͛ƐĚŝƐĐƌĞƚŝŽŶďĂƐĞĚŽŶ the quality and complexity of the vulnerability. Microsoft reserves the right to pay above $11,000 USD, depending on the entry quality and complexity. ^KhEKK>͍ZKE͙ AM I ELIGIBLE TO PARTICIPATE? You are eligible to participate in this program if: x you are 14 years of age or older. If you are at least 14 years old, but are considered a minor in your place of reƐŝĚĞŶĐĞ͕LJŽƵŶĞĞĚƚŽĂƐŬLJŽƵƌƉĂƌĞŶƚ͛ƐŽƌůĞŐĂůŐƵĂƌĚŝĂŶ͛ƐƉĞƌŵŝƐƐŝŽŶƉƌŝŽƌƚŽƉĂƌƚŝĐŝƉĂƚŝŶŐŝŶƚŚŝƐƉƌŽŐƌĂŵ͘ x you are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate͘zŽƵĂƌĞƌĞƐƉŽŶƐŝďůĞĨŽƌƌĞǀŝĞǁŝŶŐLJŽƵƌĞŵƉůŽLJĞƌ͛ƐƌƵůĞƐĨŽƌƉĂƌƚŝĐŝƉĂƚŝŶŐŝŶƚŚŝƐ program. See below for a list of those who are not eligible to participate. WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? sƵůŶĞƌĂďŝůŝƚLJƐƵďŵŝƐƐŝŽŶƐ;͞ƐƵďŵŝƐƐŝŽŶƐ͟Ϳ ƉƌŽǀŝĚĞĚƚŽDŝĐƌŽƐŽĨƚŽƌƉŽƌĂƚŝŽŶ;͞DŝĐƌŽƐŽĨƚ͟Ϳmust meet the following criteria to be eligible for payment: Eligible submissions will include an original and previously unreported vulnerability in IE 11 Preview on the latest Windows platform. Examples include, but are not limited to, Remote Code Execution (RCE), Address Space Layout Randomization (ASLR) Information Disclosure Vulnerabilities, and Sandbox Escape Vulnerabilities. Vulnerability Type not required Proof of concept required Functioning exploit required not required required not required Crash dump Whitepaper Sandbox escape Base Payout Tier required required required required not required required required optional not required Tier 0 Could exceed $11,000 USD* Tier 1 maximum payment $11,000 USD RCE vulnerability not required required n/a optional not required Important or higher severity design-‐level vulnerability not required required Proof of Concept is sufficient optional not required Security bug with Privacy Implications not required required not required optional not required Sandbox Escape Vulnerability not required required optional optional required 6/16/2013 12:37 PM Tier 2 minimum payment $1,100 USD* ASLR Info Disclosure Vulnerability not required required n/a optional n/a Tier 3 minimum payment $500 USD* Ύ,ŝŐŚĞƌƉĂLJŽƵƚƐƉŽƐƐŝďůĞĂƚDŝĐƌŽƐŽĨƚ͛ƐĚŝƐĐƌĞƚŝŽŶďĂƐĞĚŽŶůĞǀĞůŽĨƋƵĂůŝƚLJĂŶĚĐŽŵƉůĞdžŝƚLJ͘ We reserve the right to reject any submission, in our sole discretion, that we determine does not meet the above criteria. Definitions: x RCE vulnerability o A remote code execution vulnerability. x Proof of concept o The files and steps necessary to reliably reproduce the vulnerability. x Functioning exploit o A proof of concept that concretely demonstrates that remote code execution is possible, such as by forcing /ƚŽĞdžĞĐƵƚĞĂƉƌŽŐƌĂŵŽĨƚŚĞĂƚƚĂĐŬĞƌ͛ƐĐŚŽŽƐŝŶŐ;Ğ͘Ő͘, calc.exe). o The exploit must bypass all relevant mitigations that are enabled by IE. x Whitepaper o A technical paper that provides details on the root cause of the vulnerability. If an exploit is provided, the document should also describe how the exploit works. Important or higher severity design-‐level vulnerability o E.g., a cross-‐ĚŽŵĂŝŶ;͞hŶŝǀĞƌƐĂůy^^͟ͿďƵŐĂůůŽǁŝŶŐĨŽƌŝŶĂƉƉƌŽƉƌŝĂƚĞĐŽŽŬŝĞͬKDĂĐĐĞƐƐĂĐƌŽƐƐƐĞĐƵƌŝƚLJ contexts within the browser. Sandbox escape o A vulnerability in IE that allows the attacker to escape the Protected Mode sandbox in IE. Security bug with privacy Implications o This is an otherwise eligible behavior that aggressive or deceptive entities could leverage to invade the privacy of usersͶĞ͘Ő͕͘ŝŶĂƉƉƌŽƉƌŝĂƚĞĂĐĐĞƐƐƚŽĚĂƚĂĂďŽƵƚƚŚĞƵƐĞƌ͛ƐůŽĐĂƚŝŽŶǁŚĞn access has been specifically disallowed via the user interface. Issues must be scoped to the technical functionality of the browser itself and may not include privacy issues relating to the behaviors or policies of web pages rendered by the browser. x x x HOW DO I PROVIDE MY SUBMISSION? Send your complete submission to Microsoft at [email protected]. We are not responsible for submissions that we do not receive for any reason, or for submissions that we receive but are incomplete, or indecipherable. /͛s^Ed/EDz^hD/^^/KE͕EKtt,d͍ x You will receive an email stating that we have received your submission. x Our engineers will review the submission and validate its eligibility. The duration of review time will vary depending on the complexity and completeness of your submission, as well as number of submissions we receive. x Upon validation, you will be contacted to provide the necessary paperwork to keep our legal team at bay. x After receiving that paperwork and confirming you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty! BOUNTY PAYMENTS: ŽƵŶƚŝĞƐǁŝůůďĞƉĂŝĚŽƵƚĂƚDŝĐƌŽƐŽĨƚ͛ƐĚŝƐĐƌĞƚŝŽŶďĂƐĞĚŽŶƚŚĞdetail, quality and complexity of the vulnerability. Microsoft retains sole discretion in determining which submissions are qualified. The minimum bounty paid for a qualified submission will be $500 USD. There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for. 6/16/2013 12:37 PM In the event of a submission submitted by more than one party, if each are eligible submissions, Microsoft will consider not only time and date of submission, but also detail, quality and complexity to be the deciding factor for eligibility of payment of the bounty. LEGAL NOTICE: It is your responsibility to comply with any polices your employer may have that would impact your eligibility to participate in the bug bounty programs. /ĨLJŽƵĂƌĞƉĂƌƚŝĐŝƉĂƚŝŶŐŝŶǀŝŽůĂƚŝŽŶŽĨLJŽƵƌĞŵƉůŽLJĞƌ͛ƐƉŽůŝĐŝĞƐ͕LJŽƵŵĂLJďĞĚŝƐƋƵĂůŝĨŝĞĚĨƌŽŵ participating or receiving bounty payment(s). Government employees who wish to participate are required to provide a ůĞƚƚĞƌĨƌŽŵƚŚĞŝƌĞŵƉůŽLJĞƌ͛ƐĞƚŚŝĐƐĐŽŵƉůŝĂŶĐĞŽĨĨŝĐĞƌĐŽŶĨŝƌŵŝŶŐƚŚĞŝƌĂďŝůŝƚLJƚŽƉĂƌƚŝĐŝƉĂƚĞŝŶƚŚŝƐƉƌŽŐƌĂŵ͘ All payments will be compliant with local laws, regulations and ethics rules. Microsoft disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter. If we determine that your submission is qualified, Microsoft will notify you by sending a reply to your email submission. If the notification that we send is returned as undeliverable, or you are otherwise unreachable for any reason, we may not provide payment. If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the e-‐mail address used to enter the program. Before receiving a bounty payment, you are required to sign an Affidavit of Eligibility (a formal statement verifying your personal information), a Liability/Publicity Release (which provides permission for Microsoft to use your name and likeness without pursuing future claims), and a W-‐9 tax form or W-‐8 BEN tax form within 30 calendar days of notification of validation. If you wish to remain anonymous to the public, we will honor your request, but we must know your legal name in order to pay you. If your submission is qualified and you are 14 or older, but are considered a minor in your place of legal residence, we may require your parent or legal guardian to sign all required forms on your behalf. If you do not complete the required forms as instructed or return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until we have received the fully executed required documentation. If your submission is qualified, please note: x you may not designate someone else as the bounty recipient unless you are considered a minor in your place of residence; x if you are unable or unwilling to accept your bounty, we reserve the right to rescind it; x if you accept a bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s); and x if you are eligible for this program but are considered a minor in your place of residence, we may award the bounty payment to your parent/legal guardian on your behalf. Microsoft is not claiming any ownership rights to your submission. However, by providing your submission to Microsoft, you: x are agreeing to license intellectual property in your submission to Microsoft (please be sure to read and accept these terms before sending us your submission) which includes an irrevocable, perpetual, royalty-‐free, worldwide, unlimited, nonexclusive, sub-‐licensable, unrestricted right and license to: (i) use, review, assess, test and otherwise analyze your submission, to reproduce, modify, distribute, display and perform publically, commercialize and create derivative works of your entry and all its content, in whole or in part, in connection with this program; and (ii) feature your submission and all content in connection with the marketing, sale, or promotion of this program (including but not limited to internal and external sales meetings, conference presentations, tradeshows, and screen shots of the submission in press releases) in all media (now known or later developed); x agree to sign any necessary documentation that may be required for us or our designees to make sure of the rights you granted above; x understand and acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission, and you waive any claims you may have resulting from any similarities to your submission; x understand that you qualify for a one-‐time payment per eligible vulnerability and are not guaranteed any additional compensation or credit for use of your submission; and x ƌĞƉƌĞƐĞŶƚƚŚĂƚLJŽƵƌƐƵďŵŝƐƐŝŽŶŝƐLJŽƵƌŽǁŶǁŽƌŬĂŶĚLJŽƵŚĂǀĞŶ͛ƚƵƐĞĚinformation owned by another person or entity. This program is hosted in the United States, and submissions are collected on computers in the United States. This program will be governed by the laws of the State of Washington, and you consent to the exclusive jurisdiction and venue of the courts of the State of Washington for any disputes arising out of this Program. 6/16/2013 12:37 PM WHO IS NOT ELIGIBLE TO PARTICIPATE? x A resident of any of countries under U.S. sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria; x a current employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee; x a contingent staff member or vendor employee currently working with Microsoft; or x a person involved in any part of the administration and execution of this Program. The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. If you do not agree with these terms, please do not participate in this program. Microsoft thanks you for your participation. 6/16/2013 12:37 PM