Following on from the success of the bug bounty program for Internet Explorer (IE) 11 in 2013 Microsoft has now created a bug bounty for the upcoming web browser; Spartan to be bundled with Windows 10.
The Project Spartan bug bounty programme will last for 2 months (this is double the length that the bounty programme for Internet Explorer 11 lasted). Further details of the success of the IE 11 bug bounty programme are provided in this blog post.
I’m very excited about this bug bounty since the IE 11 bug bounty made an excellent, worthwhile impact in 2013 and earlier this year flaws found in IE’s newest defenses were demonstrated to Microsoft earning a group of three researchers $125,000. I really hope that flaws are found since like the Pwn2Own competition any flaws found will make a widely used application more secure for all of its users. I will provide details of any flaws found on this blog.
Aside: What is Spartan and why does it matter?
Update: 30th April 2015: Microsoft confirmed yesterday that Edge is the new name of its browser for Windows 10.
Spartan (this is a code name, its final name has not yet been announced) will replace Internet Explorer 11 as the default web browser of Windows 10 for all but enterprise customers who wish to use legacy web applications or internal websites that rely on functionality only available in Internet Explorer 8 and older IE versions. Spartan may receive its final name at the upcoming Build conference next week, but this is uncertain right now.
For non-enterprise customers Spartan will be the default, lightweight and standards compliant web browser that is set to be used by the vast majority of people who upgrade to Windows 10 (assuming they choose Spartan over alternatives such as Mozilla Firefox, Google Chrome, Opera etc.). For the first time in many years code has been removed from Microsoft’s web browser to remove features that are no longer needed e.g. document modes, VBScript to name but a few. Further details on the changes made to the rendering engine and how IE will be available for enterprise customers are available in two separate blog posts, here and here.
Update: 8th May 2015:
Microsoft have provided more details in a blog post of the changes being made to the rendering engine of Edge, the features being removed (with explanations of why they are no longer needed) as well as detailing how many lines of code have been removed.
While Spartan will replace IE, IE will still be with us for quite some time to come, however only more recent versions are set to still receive security updates as of January 2016 (most systems will run IE 9 or later). With the scheduled end of support for Windows Server 2003 in July 2015, IE 6 will no longer receive security updates (without a paid for custom support agreement with Microsoft). If IE 11 receives the standard 10 years of support (5 standard + 5 extended support), IE 11 will be with us until late in 2023.
Further details on the changes to the versions of IE that will be supported in January 2016 can be found within the following link:
Microsoft slashes IE support, sets ‘huge’ edict for Jan. 2016
Update: 10th November 2015:
The honor roll for Microsoft Edge and Internet Explorer 11 (while they were both in their Technical Preview stages) has been updated to include a large number of security researchers who successfully submitted bugs in 2013 and 2015. By doing so they make every person using these widely used browsers more secure. Their work is much appreciated. Very well done to them!
Thank you.
securityinaction 