Sign up to save your podcasts
Or
Share IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201
IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.
References:
- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
- https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v
- https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx
- https://web.archive.org/web/20190507215514/
https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw201
View all episodes
By Security Weekly
4.8
44 ratings
IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.
References:
- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
- https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v
- https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx
- https://web.archive.org/web/20190507215514/
https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw201
More shows like Application Security Weekly (Video)
View all
Global News Podcast
7,898 Listeners
Risky Business
365 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
626 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
366 Listeners
LINUX Unplugged
265 Listeners
CyberWire Daily
1,009 Listeners
Darknet Diaries
7,879 Listeners
Cybersecurity Today
166 Listeners
Kubernetes Podcast from Google
181 Listeners
Hacking Humans
314 Listeners
Defense in Depth
74 Listeners
Cloud Security Podcast
58 Listeners
Cyber Security Headlines
127 Listeners
Cloud Security Podcast by Google
38 Listeners
Risky Bulletin
43 Listeners