Mitigation Bypass and Bounty for Defense Terms
PROGRAM DESCRIPTION
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION FOR MITIGATION BYPASS?
- A novel method of exploiting a real Remote Code Execution (RCE) vulnerability. A real RCE vulnerability is understood to be an RCE that exists in a Microsoft application which may or may not have already been addressed through a security update.
- A novel method of bypassing a mitigation imposed by a user mode sandbox. For example, this could include a technique that can bypass symbolic link restrictions imposed by a sandbox or other novel logic issues that enable an attacker to escape the sandbox and elevate privileges.
- It is recommended that submissions target 64-bit user mode applications or applications that run on 32-bit ARM processors.
- Generic: RCE exploitation methods must be applicable to one or more common memory corruption vulnerability classes.
- Reliable: it must have a low probability of failure.
- Reasonable: it must have reasonable requirements and pre-requisites.
- Impactful: it must be applicable to high risk application domains (browsers, document readers, etc).
- User Mode: RCE exploitation methods must be applicable to user mode applications.
- Latest Version: it must be applicable to the latest version of our products on the date the entry is submitted.
- Novel: it must be a novel and distinct method that is not known to Microsoft and has not been described in prior works.
WHAT CONSTITUTES AN ELIGIBLE BOUNTY FOR DEFENSE SUBMISSION?
MITIGATION BYPASS SCOPE
Control-flow integrity mitigations
Mitigation | In scope | Out of scope |
---|---|---|
Data Execution Prevention (DEP) |
Techniques that make it possible to execute code from non-executable memory in a process that has enabled DEP (always on) |
|
Code integrity mitigations
Mitigation | In scope | Out of scope |
---|---|---|
Arbitrary Code Guard (ACG) |
Techniques that make it possible to dynamically generate or modify code in a process that has enabled the ProcessDynamicCodePolicy(ProhibitDynamicCode = 1). |
|
Code Integrity Guard (CIG) |
Techniques that make it possible to load an improperly signed binary into a process that has enabled code signing restrictions(e.g. ProcessSignaturePolicy). |
|
Supporting mitigations
Mitigation | In scope | Out of scope |
---|---|---|
Child Process Policy |
Techniques that make it possible to spawn a child process from a process that has restricted child process creation (via the child process policy). |
|
Address Space Layout Randomization (ASLR) |
Techniques that make it possible to generically bypass ASLR in 64-bit applications that enable High Entropy ASLR and Force Relocate Images. |
|
SEHOP/SafeSEH |
Techniques that can be used to hijack control-flow by corrupting an SEH registration record in a process/image that enables SEHOP and Safe SEH |
|
Heap randomization & metadata protection |
Techniques that can be used to achieve reliable metadata corruption or user data corruption. |
MITIGATION BYPASS PAYOUT TIERS
Tier | Description | Applicable Mitigations |
Proof of concept | Report Quality | Maximum Payout range (USD) |
---|---|---|---|---|---|
Tier 1 |
Novel & fundamental advancement in exploitation technology that universally bypasses current mitigations |
N/A |
Required |
High |
$100,000 |
Low |
$50,000 |
||||
Tier 2 |
Design-level mitigation bypass |
|
Required
|
High |
$45,000 |
Low |
$20,000 |
||||
Tier 3 |
Implementation or bug-level mitigation bypasses |
|
Required |
High |
$15,000 |
Low |
$5,000 |
LEGAL NOTICE
Thank you for participating in the Microsoft Bug Bounty Program!
- Jan 31, 2017: Return Flow Guard experimental mitigation was removed from the list of in scope mitigations
- Oct 27, 2017: “Bypasses that rely on race conditions or exception handling” and “Bypasses that rely on thread suspension” were added to the list of “Out of scope” for “Control Flow Guard (CFG)” Mitigations.
- Jan 23rd, 2018: Instances of missing CFG instrumentation prior to an indirect call added to “Out of Scope” for “Control Flow Guard (CFG)” Mitigations.
- March 20, 2018: "Code replacement attacks" explicitly added to "Out of Scope" for "Control Flow Guard" mitigations.
- June 21, 2018: Remove Control Flow Guard from the list of in scope mitigations
- August 7, 2018: Accidentally re-introduce Control Flow Guard to bounty scope
- October 2, 2018: Remove Control Flow Guard from the list of in scope mitigations (fix above publishing error)