21 min listen
IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201
IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201
ratings:
Length:
33 minutes
Released:
Jun 21, 2022
Format:
Podcast episode
Description
IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues. References: - https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf - https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v - https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx - https://web.archive.org/web/20190507215514/ https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw201
Released:
Jun 21, 2022
Format:
Podcast episode
Titles in the series (100)
Interview with Schuyler Towne - Episode 338: Schuyler Towne is on a mission to recover as much information as possible about the lock-related patents that were lost to the patent office fire of 1836. His primary interest is in the history and the story of the creators of the lost locks, but his... by Security Weekly Podcast Network (Video)