IE has gone to 11 and is no more. There’s some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well — RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we’ve finally moved on from a browser with an outdated security architecture, we’re still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.

References:

– https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
– https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v
– https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx
– https://web.archive.org/web/20190507215514/https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/ Visit https://www.securityweekly.com/asw for all the latest episodes!

Full Episode Show Notes

IE11 Goes to Zero — A History of Browser Security and Bug Bounties

Hosts

	John Kinsella – Co-founder & CTO at Cysense @johnlkinsella John Kinsella is the Co-founder & CTO of Cysense
	Mike Shema – Security Partner at Square @Codexatron Mike Shema is a Security Partner at Square.

Announcements

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!