Sign up to save your podcasts
Or
Share IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201
IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.
References:
- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
- https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v
- https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx
- https://web.archive.org/web/20190507215514/
https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw201
View all episodes
By Security Weekly
4.7
3535 ratings
IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.
References:
- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
- https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v
- https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx
- https://web.archive.org/web/20190507215514/
https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw201
More shows like Security Weekly Podcast Network (Video)
View all
Security Now (Audio)
1,965 Listeners
MacBreak Weekly (Audio)
2,012 Listeners
Risky Business
360 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
628 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
368 Listeners
CyberWire Daily
1,013 Listeners
Smashing Security
314 Listeners
Click Here
388 Listeners
Darknet Diaries
7,843 Listeners
Techmeme Ride Home
943 Listeners
Cybersecurity Today
165 Listeners
CISO Series Podcast
187 Listeners
Practical AI
188 Listeners
Cyber Security Headlines
119 Listeners
Risky Bulletin
33 Listeners