Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.

Security flaws continue to plague the digital world: Microsoft recently patched its Edge browser after Google spotted a zero-day being used by attackers in Chrome.

Last year, Microsoft paid out more than $17 million via its bug bounty program, versus $11.8 million by Google via its Vulnerability Reward Program, with payouts in the hundreds of thousands of dollars.

Microsoft has recently expanded its researcher reward programme to increase payouts for Copilot bugs.

But cloud and AI have changed the landscape, so Microsoft is widening the bounty program to include payments for critical vulnerabilities in online services, even if it didn't write the code.

"In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit," wrote Tom Gallagher, VP Engineering for Microsoft Security Response Center, in a blog post.

"The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers. Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved."

Microsoft is calling the new scheme "In Scope by Default," noting that the aim is to widen coverage of its products and automatically include new services as soon as they are released.

"Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit," Gallagher added.

How In Scope by Default works

Microsoft said it will now pay a bounty award for any critical flaw impacting its services, whether the code is "owned and managed" by Microsoft, a third party, or is open source – assuming no other bounty award exists.

"If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know," added Gallagher. "If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code."

Beyond the bounty, Microsoft said it will "do whatever it takes" to fix the flaw.

Microsoft said it hopes that expanding the program to include online domains and cloud services means those outside its existing systems will spend time studying its products.

"Security researchers don’t have our insider perspective and are uniquely placed to think like an attacker," Gallagher said.

The tech giant added that it expects researchers to protect privacy and customer data, and understand its guidelines for responsible security research. Payouts will depend on the severity of the vulnerability.

All the big companies – from Microsoft to OpenAI – offer bug bounties, and some smaller companies are starting to find value too, with awards less costly than regulatory fines and reputational damage.

MORE FROM ITPRO

• Should your business start a bug bounty program?
• Two-thirds of ethical hackers using generative AI in bug hunting
• OpenAI announces five-fold increase in bug bounty reward

Companies of all sizes are starting to see the benefits of bug bounty programs. Big tech firms including Facebook, Google, Microsoft, and Apple have such a program in place, while ChatGPT owner OpenAI recently unveiled such a scheme. 

At a time when breaches are hitting businesses of all sizes, adversaries are constantly probing for security weaknesses through which to attack. Bug bounties help to address this issue at the source, with researchers finding vulnerabilities before they can be used in real-life attack scenarios.

Bug bounty prizes can be huge, with firms such as Google paying out as much as $600,000 to those who find serious holes in its products. While it might seem like a big outlay, advocates point out that the expense is still smaller than regulatory fines and reputational damage caused by a data breach.

What different types of bug bounty program are there?

Bug bounty programs are typically either public or private. “A public bug bounty is usually listed on sites such as HackerOne and Bugcrowd, or in some cases on the company’s own website,” Joshua Hickling, managing consultant at Pentest People, explains.

A private bug bounty is only joinable via invitation, usually based on the researcher’s reputation. For example, those able to find pertinent, exploitable bugs consistently will be invited to private programs, Hickling says.

An organization sets the rules of engagement for its bug bounty program, including assets in and out of scope, types of vulnerabilities, permitted testing methodologies, and reward structure. “Hackers can test for vulnerabilities that elude security teams and cannot be discovered by automated scanning tools,” says Kayla Underkoffler, lead security technologist at HackerOne. 

Among the advantages, programs can be effective very quickly. According to Underkoffler, over 75% of new bug bounty programs on the HackerOne platform receive their first valid vulnerability report within 24 hours.

They can benefit firms of any size, but larger organizations that operate complex networks or handle large amounts of sensitive data are more likely to get value out of a program, says Cezary Cerekwicki, head of product security at browser maker Opera. “The larger an organization and a network, the greater the danger that vulnerabilities might go undetected.”

Large firms are a bigger target for adversaries, so a bug bounty offer might even persuade “unethical hackers” to probe for weaknesses with permission, says Leon Teale, a senior penetration tester at IT Governance. “In exchange, they could receive gifts, cash, notoriety, or honorable mentions,” he suggests.

Michael Adams, CISO at Zoom says the company’s bug bounty program hosted on the HackerOne platform helps the firm “proactively mitigate risk and create a safer environment for our customers”. 

It can be challenging for companies to identify edge-case vulnerabilities or anomalies that only occur in certain circumstances, says Adams. “That’s where the ethical hacker community can perform a vital function in the continuous testing and probing of technologies. In many cases, they can help organizations save time and money by identifying certain security issues before they become a bigger problem.”

Are bug bounty programs worth the cost?

The cost of running a bug bounty program can vary, but experts say the outlay is worth it. There are two components to the cost: the first is the platform fee, if you use one, with firms such as Bugcrowd or HackerOne offering the service a SaaS subscription model.

“This is what we charge for connecting organizations that want to run a program with ethical hackers, triaging the results and verifying they are legitimate vulnerabilities – as well as handling payments to the hacker community,” says Dave Gerry, CEO of bug bounty platform Bugcrowd. 

The second cost is the bounties themselves – which according to Gerry, is set by the market. “If a company’s bounty rates are too low, it will struggle to attract ethical hackers to work on the program.”

You do not have to pay, with some companies purely offering an honorable mention or some “swag” in return, says Teale. “Offering a ‘kudos’ can still be helpful to those who would like to gain recognition through this exposure – although paid bounties will always attract more testers,” he says.

The value of the bounty is usually paid based upon the seriousness of the issue, with low severity flaws seeing bounties of anywhere from $0 to $50 and critical issues in some cases exceeding $100,000, says Hickling. “If a vulnerability is identified which could result in the leak of personally identifiable information, paying a $100,000 bounty far outweighs the potential GDPR fines a business could be hit with.”

How to implement a program in your business

The benefits of having a bug country program are clear, but there can be challenges when implementing one. 

Scoping is important, says Gerry. “To make them manageable, projects are usually targeted at a specific online asset that has already been tested internally. This prevents organizations from exposing themselves to unexpectedly high levels of cost and stops them from being over-run with reports of vulnerabilities.”

It’s also important that firms are ready and able to take remedial action when flaws are discovered, he adds. At the same time, it’s key to match the skills of ethical hackers with the type of assets to be tested, he says. 

But it can be difficult to identify the true impact of vulnerabilities. While an outside researcher might believe they’ve identified a major flaw, companies often have many defenses and mitigations already in place that are not shared externally, says Adams. 

With this in mind, Zoom is rolling out a “Vulnerability Impact Scoring System” to measure the impact of flaws, and pay researchers for the best bugs. 

Before introducing a bug bounty program, it’s important to consider the business objectives, says Adams. “These will help determine the scope of the program, whether it runs as private or public, and the rewards system. It may attract a range of participants from beginner bug bounty hunters to full-time professionals.”

OpenAI has unveiled a new bug bounty program offering rewards for security researchers if they can uncover vulnerabilities in its products. 

In an announcement on Tuesday, the California-based AI firm said the bug bounty scheme is “essential to our commitment to develop safe and advanced AI” and deliver services that are secure, reliable, and trustworthy. 

As part of the initiative, OpenAI said it will offer a tiered reward system based on the severity of bugs uncovered by researchers. 

Rewards can range from as little as $200 for low-severity flaws with a maximum reward of $20,000 for “exceptional discoveries”. 

“The OpenAI Bug Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company secure,” the firm said in a statement. 

“We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone.”

Researchers participating in the new initiative will be able to disclose vulnerabilities or flaws through a partner organisation, Bugcrowd.

Bugcrowd will manage the submission and reward process, which OpenAI said is designed to “ensure a streamlined experience for all participants”. 

ChatGPT vulnerability concerns

The move from OpenAI follows a period of unrest over security-related issues at the generative AI firm, which has close ties with Microsoft. 

Last month, the company revealed that a bug in ChatGPT led to a leak of users' data.

This flaw meant that ChatGPT Plus users began seeing user email addresses, subscriber names, payment addresses, and limited credit card information. 

The issue prompted the company to temporarily take the chatbot offline to work on a fix. 

“The bug was discovered in the Redis client open-source library, redis-py,” OpenAI explained in a post at the time. 

“As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue.”

Windows 10 users have reported a broken Microsoft 365 trial offer which prevents access to the desktop until credit card details are entered.

On booting up, some Windows 10 devices have shown a full-screen offer for a trial version of Microsoft 365, the tech giant’s suite of productivity apps.

Buttons at the bottom of the screen read ‘Use for free’ and ‘No thanks’, but each leads to a screen prompting users to enter credit card details.

One Reddit user posted an example of the issue on the platform's Windows 10 community, noting that they had to put in their credit card details to gain access to their desktop and cancel afterwards to prevent being charged recurring payments.

No other buttons on the window enabled the user to skip entering payment details.

Microsoft 365 costs between £4.50 and £16.60 per month for businesses. It is unclear whether the nature of this bug enables it to appear on devices that are already subscribed to a plan with the suite, which could decide the likelihood of it being recreated on business laptops.

Another user posted a similar bug on a subreddit designed to highlight bad user interface (UI) design. Their full-screen offer advertised 50% off Microsoft 365 Family, and identically to the other post pressing ‘No thanks’ took them to the payment details screen.

The offer is meant to be shown in the Windows out of box experience (OOBE), which users see when a device is first turned on after purchase or immediately following a Windows 10 factory reset.

As the bug has not been addressed by Microsoft, it is not clear if it is the result of an erroneous update or a flaw with the individual users' machines.

One Reddit user asked for the name of the device's original equipment manufacturer (OEM).

"Looks like a bug in their OOBE - e.g. strings got swapped in their translations," wrote one individual.

"Not a [Microsoft] problem - though I'm sure if it gets into the right channels could mean a big fine for the OEM."

IT Pro has approached Microsoft for more information.

Microsoft has warned that some Windows 11 users may encounter a bug which prevents access to applications after running the System Restore program.

An advisory published by the tech giant confirmed that devices using the latest versions of Windows 11 have been impacted by the bug, which affects some applications using the MSIX Windows app package format.

Users have reported problems running a number of applications, Microsoft said, including Office, Notepad, Paint, Cortana, and Terminal.

In its advisory, the company warned that this is not a comprehensive list and could include a range of other apps run via the MSIX app package.

“This list of apps is not a complete list,” the tech giant said. “Any Windows applications that use the MSIX Windows app package format may experience this issue.”

Users affected by the bug have reportedly been met with an error message stating “this app can’t open” instead of the app launching, while some apps have multiple entries on the Start Menu.

In some instances, apps have simply failed to respond upon launch, Microsoft said. In addition, users have encountered an I/O error which is followed by the app crashing.

The complete list of operating systems affected includes Windows 11 version 22H2, Windows 11 SE, Windows 11 Home and Pro, Windows 11 IoT Enterprise, Windows 11 Enterprise and Education, and Windows 11 Enterprise Multi-Session.

Windows 11 System Restore bug – potential workarounds

Microsoft has outlined a number of potential workarounds for users affected by the bug.

This includes restarting the app or attempting to reinstall the app from the Windows Store.

Additionally, users have been advised to try running Windows update or reinstalling the app “from the original source from which it was first installed”.

Windows 11 issues snowballing

Issues for Windows 11 users also appear to have been compounded over the last 48 hours amidst claims that IT admins have encountered unresponsive Windows taskbar and Start Menus.

Microsoft said it is currently investigating the issue, which reportedly hampers users’ ability to log into Outlook and Teams.

Reports suggest that users have been repeatedly unable to access the Windows Start Menu while other users have revealed the Windows Search feature is unavailable.

The Windows bugs follow a recent high-profile issue affecting Windows Defender which caused significant issues for IT admins globally.

An update for Windows Defender caused users to experience a “series of false positive detections” for the Attack Surface Reduction (ASR) rule, Microsoft confirmed.

Users who encountered the issue reported that their device's Start Menu, Taskbar, and desktop shortcuts were deleted.

On Saturday 14 January, Microsoft published instructions detailing ways that users could rectify the issue. This included updating to build 1.381.2164.0 or later.

Microsoft has warned that some Windows 10 users may encounter the infamous ‘blue screen of death’ (BSOD) after installing its latest 'Patch Tuesday' security updates.

In an update on the Windows Health Dashboard, the company revealed that the blue screen issue could affect selected users who downloaded the KB5021233 update in this month’s recent raft of security fixes.

KB5021233 was initially intended to resolve an issue affecting the Camera app after users reported that the app stops responding when memory is low.

The issue has so far affected users operating several different versions of Windows 10, the firm revealed, including 22H2, 21H2, 21H1, and 20H2.

Impacted users have been met with the BSOD and error code 0xc000021a upon startup, and have been unable to access devices.

“After installing KB5021233, there might be a mismatch between the file versions of hidparse.sys in c:/windows/system32 and c:/windows/system32/drivers (assuming Windows is installed to your C: drive), which might cause signature validation to fail when cleanup occurs,” Microsoft confirmed in its update over the weekend.

How to fix the issue

Microsoft revealed it is currently “working on a resolution” for the issue and said it will provide an update in an upcoming release.

However, for users currently affected by the problem, the firm offered a temporary workaround using the Windows Recovery Environment (WinRE).

“To mitigate this issue on devices already experiencing it, you will need to use Windows Recovery Environment (WinRE),” Microsoft said.

The firm outlined the following steps for affected users:

1. Enter Windows Recovery Environment. If your device has not automatically started up into WinRE, please see Entry points into WinRE.
2. Select 'Troubleshoot'
3. Select the 'Start recovery, troubleshooting, and diagnostic tools button
4. Select 'Advanced Options'
5. Select 'Command Prompt' and wait for your device to restart, if needed.
6. Your device should restart to a Command Prompt window. You might need to sign into your device with your password before getting to the Command Prompt window
7. Run the following command (Important: If Windows is not installed to C:\windows you will need to modify the command to your environment): xcopy C:\windows\system32\drivers\hidparse.sys C:\windows\\system32\hidparse.sys
8. Once the previous command completes, type: exit
9. Select 'Continue'

After following these steps, Microsoft said Windows should now startup “as expected” for users. The firm also warned users against finding alternative workarounds.

“It is not recommended to follow any other workaround than those recommended above. We do not recommend deleting the hidparse.sys from your Windows\System32 folder,” the company said.

Patch Tuesday

This particular issue comes as a result of Microsoft’s recent Patch Tuesday update, issued on 13 December.

As part of the update, Microsoft patched a number of critical vulnerabilities along with fixes for two critical zero-day vulnerabilities.

49 vulnerabilities were disclosed in the bulletin last week. Six were rated as ‘critical’ while another was identified as having been actively exploited in the wild.

The exploited bug, tracked as CVE-2022-44698, was found to affect Windows SmartScreen and enabled threat actors to bypass Mark of the Web (MOTW) protocols.

SpaceX is offering between $100 and $25,000 in bounties to hackers who report exploits to the company through their website.

The spacecraft manufacturer has set up a dedicated page on crowdsourced bug bounty platform Bugcrowd, giving would-be white hats a centralised method for reporting un-patched SpaceX and Starlink exploits.

Hackers who submit reports on network vulnerabilities can expect up to $10,000, while on a “case-by-case” basis those who discover and report vulnerabilities with Starlink dishes, satellites or other such hardware can receive up to $25,000.

According to its Bugcrowd page, SpaceX has so far rewarded 41 vulnerability reports, at an average of $972 each. A more comprehensive list of prices per type of vulnerability discovered can be found on the page, but SpaceX specifically forbids physical tampering with its infrastructure or that of Starlink’s, as well as testing that could directly impact its services.

In a document shared by SpaceX titled ‘Starlink welcomes security researchers (bring on the bugs), the company outlines its position on bug bounties.

“We allow responsible security researchers to do their own testing, and we provide monetary rewards when they find and report vulnerabilities,” states the document.

“We recognize and appreciate the support of the broader security community in making Starlink better and more secure. We encourage researchers to test Starlink for security issues in a non-destructive way and to report their findings through our bug bounty program.”

SpaceX further states that it considers vulnerability research within its bug bounty policies to be exempt from Digital Millennium Copyright Act (DMCA) claims, legal action as a result of Computer Fraud and Abuse Act (CFAA) violation, and SpaceX terms and conditions that would interfere with research.

Bug bounties are a popular form of publicly-sourced testing for companies, that offer white hat hackers lucrative rewards and permission to attempt to hack some of the most challenging commercial security systems, in return for information on any vulnerabilities that they discover.

In June, an employee working for the vulnerability coordination platform HackerOne was found to have been stealing and re-submitting bug bounties for personal profit and was subsequently fired.

The Starlink constellation, which aims to provide satellite broadband access to customers worldwide, is rapidly growing. With over 2,500 satellites currently in orbit and an end goal of 12,000 having been approved by the FCC, it is a frontrunner in the growing race for satellite internet dominance, which has already spawned disagreements as well as interest from agencies such as DARPA.

Microsoft has announced two brand-new awards for its Microsoft 365 bug bounty programmes, offering the highest potential payouts for eligible submissions.

The two new awards focus on scenario-based bugs, Microsoft said and will be available to the Dynamics 365 and Power Platform Bounty Program and the M365 Bounty Program.

The most severe bugs that could be used in high-impact scenarios will be awarded the biggest payouts with the potential for a 30% bonus on top of the vulnerability itself.

Microsoft lists several examples of high-impact scenarios in which it’s looking for reported bugs. Remote code execution (RCE) flaws attract the most lucrative payouts and the full 30% bonus, in some cases, while others such as privilege escalation issues, information disclosure, spoofing, tampering, and denial of service (DoS) bugs also lead to awards.

In Microsoft’s most recent ‘Patch Tuesday’, issued last week, a total of 145 vulnerabilities were addressed and the majority of these were privilege escalation and RCE issues.

RCE vulnerabilities accounted for close to a third of all the bugs that were patched, three of which were rated 9.8/10 for severity and two were wormable.

The severity of the reported bug, combined with the quality of the report itself and whether it can be executed in a high-impact scenario all impact the overall payout.

There are six total scenarios Microsoft earmarked for bonuses, five of which are exclusive to the M365 Bounty Program. Each one has a unique common weakness enumeration (CWE) code with additional bonuses ranging between 15-30% of the initial bug’s reward.

The Dynamics 365 and Power Platform Bounty Program has just the one high-impact scenario which is ‘cross-tenant information disclosure’ - a condition that warrants a maximum reward of $20,000 if met.

Microsoft added scenario-based rewards to its cloud security bug bounty programs in October last year, offering larger bonuses of up to 50% and a total value of $60,000 for the most severe flaws affecting Azure services.

Cross-tenant data leakage in Azure Synapse Analytics, and compromise logging or auditing keys in Key Vault, were both made eligible for the maximum bonuses at the time.

The company announced in July last year that it awarded a total of $13.6 million in bug bounty payouts in the previous one-year period, a figure three times greater than what it awarded in 2019.

Adobe has had to issue another software update after an out-of-band patch failed to fix a vulnerability in its e-commerce software.

Last weekend, the company released an out-of-band patch to fix a vulnerability in its Adobe Commerce and Magento Open Source e-commerce products.

The CVE-2022-24086 input validation bug allowed attackers to run their own code on e-commerce sites, making them vulnerable to cart skimmers. The company said that the attack had been exploited in the wild.

Adobe credited the new discovery to one of the bug researchers that found the original vulnerability. The researcher from security company Bugscale, who uses the Twitter handle @Blaklis, warned about Adobe's first patch on Twitter. "THIS IS NOT SUFFICIENT to be safe," they said, adding a comment that hinted at the cause of the problem: "take care of json/url encoded values".

Researchers at security company Positive Technologies also warned that they had bypassed the initial patch to exploit the vulnerability again. "We weren't the first," they added.

The additional research created a new vulnerability ID, CVE-2022-24087. It mirrors the first bug's 9.8 (critical) rating. Adobe released a fix for the bug, which customers must apply on top of the first patch.

This isn't the first critical vulnerability that Adobe has had to patch lately. Earlier this month it issued a patch for a critical bug, CVE-2022-23202, that enabled attackers to execute their own code in its Creative Cloud Desktop application.

It also patched an arbitrary code execution bug in Adobe After Effects, and another in Photoshop.

Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms.

The reward increases will be applied to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.

Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as 'n-days', one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.

Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing patch in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.

"There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses)," said Eduardo Vela, Product Security Response TL/M at Google. "While we don't expect every upgrade to have a valid 1day submission, we would love to learn otherwise."

Valid exploits for previously unknown zero-day vulnerabilities will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.

"We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag," said Vela. "We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022)."

An increasing amount of recent research has highlighted cyber criminals' shift in focus towards Linux environments, both in and outside of the cloud.

Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while "hiding in plain sight", while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments last week.

Full details on the reporting process can be found in the Google blog post.

Reward structure

Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.

From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed.

• $20,000 will be awarded if the exploit is a zero-day
• A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces
• Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission

Intel has expanded its $100,000 bug bounty program in an effort to entice “elite hackers” to report vulnerabilities in the company's firmware, hypervisors, graphics processing units (GPUs), and chipsets.

Of the 113 external vulnerabilities detected in 2021, 97 were reported to Intel through its public bug bounty program.

Dubbed Project Circuit Breaker, the expansion to Intel's existing program will see the creation of an integrated community that will offer targeted training, hacking challenges, and opportunities to explore new and pre-release products, in addition to enhanced collaborations with hardware and software engineering teams at Intel.

"Project Circuit Breaker broadens and deepens Intel's existing open Bug Bounty program by hosting targeted time-boxed events on specific new platforms and technologies, providing training and creating opportunities for more hands-on collaboration with Intel engineers," explained Intel.

"Project Circuit Breaker's first event, Camping with Tigers, is already underway with a group of 20 researchers who received systems with Intel Core i7 processors (formerly Tiger Lake)."

In the exclusive Camping with Tigers event, researchers will look for security vulnerabilities in Intel’s Tiger Lake platform. The program began in December 2021 and will be in effect until May 2022. At three milestones, eligible vulnerabilities will earn bounty multipliers.

Potential findings may include, among others, micro-architectural and firmware vulnerabilities. This covers flaws related to BIOS, IP firmware components, embedded controller, sensor, trusted platform module, and flash storage.

“We invest in and host bug bounty programs because they attract new perspectives on how to challenge emerging security threats – and Project Circuit Breaker is the next step in collaborating with researchers to strengthen the industry’s security assurance practices, especially when it comes to hardware, said Katie Noble, director of Intel’s product security incident response team (PSIRT) and bug bounty.

“We look forward to seeing how the program will evolve and to introducing new voices to the meaningful work that we do,” added Noble.

Cloudflare, a provider of web infrastructure and security services, has announced the launch of its public bug bounty program.

Bug hunters and security researchers can now report vulnerabilities found in Cloudflare products as part of the company's latest program, which is hosted on HackerOne.

A private bounty program was previously launched in 2018, following a vulnerability disclosure program in 2014. The company paid $211,512 in bounties during the lifetime of this program, with 292 out of the 430 reports receiving a reward.

Rewards for Cloudflare's latest program vary with the severity of the vulnerability. Each security flaw is assigned a severity rating based on the Common Vulnerability Scoring Standard (CVSS) version 3.

There is a $3,000 payment for a critical vulnerability report, while high, medium, and low vulnerabilities are worth $1,000, $500, and $250, respectively. However, rewards vary for secondary and other targets.

As a way to make vulnerability research easier, Cloudflare also developed a sandbox called CumulusFire, which provides a standardized playground for researchers to test their exploits. The sandbox will also assist Cloudflare’s security teams in reproducing potential exploits for analysis.

“CumulusFire has already helped us address the constant trickle of reports in which researchers would configure their origin server in an obviously insecure way, beyond default or expected settings, and then report that Cloudflare’s WAF does not block an attack. By policy, we will now only consider WAF bypasses a vulnerability if it is reproducible on CumulusFire,” explained Cloudflare.

A good place to start is to refer to the documentation on Cloudflare's developer and API portals, the Learning Center, and its support forums.

The firm also aims to add additional documentation, testing platforms, and a way for researchers to interact with its security teams to ensure submissions are valid.

Microsoft has issued an out-of-band patch for Windows Server to fix a problem that could potentially stop remote desktop users logging into the system.

The flaw causes performance issues with Windows Server, which would result either in a slow sign-in process, general slowness, or at worst a black screen, Microsoft said.

Windows Server 2019 is at risk, and Microsoft has published KB5010196 to address this edition. The bug also affects Windows Server 2012 Release 2, which the company has addressed with KB5010215.

Also affected are Window Server 2022 and 2016, which the company said it would address in the coming days.

The bug stemmed from the KB5008218 update that Microsoft released during a regular Patch Tuesday update on December 14. This update introduced some security changes for Windows.

The out-of-band updates will not install automatically as part of the Windows Update service, meaning that administrators must install them manually by importing it into the Windows Server Update Service (WSUS). They can get the Windows Server 2019 patch by visiting the Microsoft Update Catalog website. Windows Server 2012 Release 2 users can go here.

The latest updates are cumulative, and the Windows Server 2019 update inherits three other less urgent Windows issues identified by Microsoft. This includes errors for devices using Asian language packs, and a temporary problem starting the Windows Cluster Service that disappears when rebooting after approximately 20 minutes. There is also an issue with versions of Windows Server used as Key Management Services hosts that might prevent some client Windows 10 operating systems from activating. The company will fix these in future releases, it said.

Out-of-band patches for Windows Server are rare. Microsoft issued one in November last year, addressing a bug in Windows Server when used as a domain controller. The flaw prevented servers from authenticating legitimate users who tried to access resources using a single sign-on token.

Meta has expanded its bug bounty programme to include flaws that lead to data scraping in a move it's describing as an industry-first.

The programme will now cover database scraping and also offer rewards for researchers who can simply show novel methods of scraping on its products - the latter of which is a first-of-its-kind programme, according to the newly rebranded parent company of Facebook.

It will begin as a private programme only available to Meta's Gold+ HackerPlus security researchers - a title for researchers who have reported at least five valid bugs to the company - and will offer rewards to those who show how data scraping can be achieved, regardless of the degree of impact on the product.

Researchers can submit methods even if the data is public and Meta said it's particularly looking for reports regarding logic bypass issues - flaws that permit access to data via unintended mechanisms.

Data scraping can be achieved using specially crafted scripts, often using the Python programming language, which are designed to lift the data from any given web page. These scripts can be designed to grab specific information, depending on the target and the purpose of the activity.

"We know that automated activity designed to scrape people’s public and private data targets every website or service," said Meta in an announcement.

"We also know that it is a highly adversarial space where scrapers - be it malicious apps, websites or scripts - constantly adapt their tactics to evade detection in response to the defences we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform."

The move comes more than two years after the company formerly known as Facebook first identified an issue that allowed users to scrape data of 533 million of its users. The data was leaked online, in full, by a hacker earlier this year after they ran an underground business that saw people pay small sums to access and retrieve information such as users' phone numbers.

Meta has said it will also reward researchers who can demonstrate they can scrape datasets containing at least 100,000 Facebook user records, starting today.

To be eligible for a reward, the dataset must be unique and unknown to Meta, and contain personally identifiable information (PII) such as email addresses, phone numbers, physical addresses, or religious or political affiliations.

"If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed," the company said.

The maximum reward for the programme is not disclosed by Meta, but it said each successful, eligible disclosure will be rewarded with the bare minimum of $500 (£376).

Database scraping is often confused with a data breach and it represents an interesting differentiation of the two terms, despite the outcome largely being the same - user data falling into the hands of those with whom the user did not explicitly share.

Unlike data breaches, which fall under the Computer Misuse Act, there is no specific law against data scraping in the UK. However, sites can take action against individuals if the data scraping results in an infringement of intellectual property or breaches the site's terms of service.

Encountering a Blue Screen of Death (BSOD) on a Windows 11 system can be alarming for any user, from IT professionals managing critical infrastructure to individuals relying on their PCs for daily tasks. This critical stop error, often displaying a cryptic message, signals a serious system issue that has forced Windows to halt to prevent potential data corruption or hardware damage. While a BSOD can stem from a multitude of causes, including hardware malfunctions, driver incompatibilities, or corrupted system files, many instances are resolvable. This guide provides a structured approach to diagnosing and fixing common Blue Screen of Death errors in Windows 11, helping you restore system stability.

Experiencing a blue screen of death (BSOD) on Windows 11 can be a frustrating encounter, but it’s a relatively common issue that doesn’t always indicate a catastrophic problem. Many Windows users have encountered a BSOD, which signals a system crash. Fortunately, it often can be resolved with systematic troubleshooting.

The causes of a BSOD can vary widely, ranging from hardware issues (like faulty RAM or overheating components) and driver conflicts to software bugs and corrupted system files. In some cases, a simple restart may temporarily resolve the issue. However, for persistent problems, more comprehensive methods are needed to address and fix the underlying causes to ensure your system runs smoothly.

The BSOD on Windows 11 helpfully provides an error code (often called a Stop Code) and sometimes a QR code to give users an initial idea of what caused the crash. These codes are the starting point for diagnosis.

The BSOD is also known as a ‘STOP error,’ indicating a fatal system error. IT professionals have referred to it by its foreboding name for years due to its disruptive nature.

A brief historical note: When Windows 11 first launched, some early builds displayed this error screen with a black background. However, Microsoft quickly reinstated the classic blue background in subsequent updates. If you encounter a black screen error, it indicates you are running a significantly outdated build of Windows 11, and you should prioritize updating Windows 11 immediately to benefit from the latest security patches, features, and stability improvements.

How to fix the blue screen of death in Windows 11

The BSOD in Windows 11 is designed to be more user-friendly than in older Windows versions, but its sudden appearance can still be daunting. When a BSOD occurs, your system typically attempts to gather diagnostic information and may automatically restart.

To avoid any potential loss of unsaved work if the system is configured to collect a memory dump, it’s best to let the process complete if it shows a percentage counter.

Here are effective steps to diagnose and resolve a BSOD:

Some errors are harder to diagnose, however. The error code IRQL_not_less_or_equal, for example, usually relates to a hardware fault, such as a corrupted RAM module.

It can also be triggered by faulty drivers, or even faulty antivirus software

Aside from using the QR code, the quickest way to check the error is to type the code into a search engine. It’s best to find the Microsoft Support page for that code first and foremost, before looking at third-party sites that will either try and sell you a quick fix, or get you to try every fix possible

The Microsoft support page will be able to explain the error, the circumstances that triggered it, and if there is a fix or workaround to resolve it. The support page should give you step-by-step instructions to follow and guide you on your way to resolving the issue.

If there are no fixes, or if the page only offers vague information like 'driver issue', it’s time to think back to any recent installations or changes you made to your machine, and if need be, uninstall them.

You can follow our detailed guide on how to boot Windows 11 in Safe Mode. If the BSOD does not occur in Safe Mode, a third-party driver or software is likely the culprit. This is similar to booting Windows 10 in safe mode.

What is the green screen of death in Windows 11?

If you’re a Windows Insider running preview builds of Windows 11, you might encounter a Green Screen of Death (GSOD) instead of blue. The GSOD serves the same purpose but is green to distinguish crashes in Insider builds from those in stable releases. It often contains more detailed debugging information. If you encounter a GSOD, the issue may be specific to the unstable preview build, and fixes that are perhaps not yet available. Check the Windows Insider Program hub and forums for support.

Managing software conflicts

Managing software conflicts in Windows 11 starts with the simplest remedy: keep everything current. Refresh the operating system, device drivers and every application you have installed, because most updates slip in quiet compatibility tweaks and bug fixes that stop potential clashes before they can knock the whole machine over. If crashes continue after you patch, cast an eye over any programs you have added or upgraded in the past few days; it is not unusual for a brand-new utility — or even a well-meant update — to spark the infamous blue screen. Removing the newcomer through “Apps & Features” in Settings will tell you quickly whether it was the culprit.

Sometimes the friction hides in the background, so pare back what loads at start-up. Open Task Manager with Ctrl + Shift + Esc, switch to the “Startup” tab and turn off anything that is not essential to daily work. A leaner launch makes it easier to spot a rogue process that was tripping Windows during boot.

When stubborn conflicts refuse to show themselves, boot the system with just the bare minimum of services and drivers. This so-called clean boot isolates the offender by process of elimination, letting you restore normal operations with confidence that the disruptive code has been identified — and that the dreaded BSOD will stay away.

Windows 11 Safe Mode is a vital diagnostic utility that enables users to troubleshoot complex system issues by booting the operating system in a minimal state. By loading only the most essential drivers and services, Safe Mode effectively isolates the root causes of problems, whether they are software glitches, driver conflicts, or performance bottlenecks.

This stripped-back environment is particularly useful for tackling persistent crashes, system instability, or malware infections. Disabling non-essential components allows IT professionals and users to identify and resolve underlying issues without interference from third-party applications or background processes.

Windows 11 provides three distinct Safe Mode environments to suit different troubleshooting needs: Standard Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt.

Understanding how to use these configurations effectively is crucial for diagnosing and resolving system issues without compromising security or functionality.

Why boot into Windows 11 Safe Mode?

Booting into Windows 11 Safe Mode is a crucial step when addressing significant system issues, such as frequent crashes, system instability, or failure to boot correctly. By initiating the operating system with only essential drivers and services, Safe Mode creates a controlled environment that simplifies the process of isolating and resolving underlying problems. ​

One prevalent issue that Safe Mode can help mitigate is the Blue Screen of Death (BSOD), often resulting from faulty or outdated drivers. If you've recently installed new hardware or software leading to system instability, booting into Safe Mode allows you to uninstall the problematic components or revert to a stable configuration. ​

Additionally, running the Check Disk (CHKDSK) utility in Safe Mode is advisable for diagnosing and repairing hard drive errors. This tool scans the file system and metadata of a volume for logical and physical errors, ensuring the integrity of your data. 

Executing CHKDSK in Safe Mode minimizes the chance of interference from third-party processes, leading to a more effective repair process. ITPro’s guide on running the Chkdsk tool is a great resource for addressing potential hard drive errors while in Safe Mode. 

Important warning: Check for BitLocker

Before attempting to boot into Safe Mode, ensure you have your BitLocker Recovery Key handy. If your device is encrypted (which is standard on most modern Windows 11 laptops), the system may interpret the change in boot mode as a security risk and lock the drive.

You can find your 48-digit recovery key by logging into your Microsoft account on another device (account.microsoft.com/devices/recoverykey). Without this key, you may find yourself locked out of the system once the recovery menu loads.

How do I know if Windows 11 is in Safe Mode?

​When your system boots into Windows 11 Safe Mode, several indicators confirm this status. The desktop will appear with a basic black background, devoid of personalized elements such as custom wallpapers or themes. 

Additionally, the text "Safe Mode" will be displayed in the corners of the screen, including just above the clock in the bottom-right corner. 

How to boot into Safe Mode in Windows 11

​Accessing Safe Mode in Windows 11 is similar to previous versions, offering multiple methods to accommodate different scenarios. Whether you're logged into your system or unable to boot into Windows, you can initiate Safe Mode through various approaches. ​

Here’s a breakdown of the four most common methods:

• Method One - The Start Menu method
• Method Two - The Advanced Start method
• Method Three - The Function Key method
• Method Four - The ‘When all else fails’ method

Read on to see detailed instructions for each step.

1. Completely shut down your computer.
2. Turn the computer on and immediately start tapping the appropriate recovery key repeatedly.
3. The key varies by manufacturer: try F11 (HP, Lenovo), F12 (Dell), F9 (Asus), or Esc.
4. If successful, you will see the "Choose an option" or "Recovery" screen.

Note: On most modern Windows 11 PCs, the traditional F8 menu is disabled by default to speed up boot times. If F11 or Esc does not work, you will likely need to use Method Four (interrupting the boot process) instead.

1. Turn on the computer, then hold down the power button to interrupt the boot.
2. Repeat this process two more times.
3. On the third reboot, you’ll see the Startup Repair option.
4. Choose Advanced Options from here to enter Safe Mode.

Navigating the recovery menu

After following the steps outlined in any of the methods listed above, your PC will reboot into a recovery menu. At this stage, you will need to complete these steps:

1. Click on ‘Troubleshoot’
2. Click on ‘Advanced Options’
3. Click on ‘Start Up Settings’
4. Click on ‘Restart’

After clicking Restart, your PC will reboot and display a numbered list of startup options. You cannot use your mouse on this screen; you must use the physical keyboard.

Press the number or Function key corresponding to your desired mode:

• Press 4 (or F4) for Standard Safe Mode.
• Press 5 (or F5) for Safe Mode with Networking (drivers for Wi-Fi/Ethernet).
• Press 6 (or F6) for Safe Mode with Command Prompt.

Whichever option you choose, your machine will immediately load into the Safe Mode environment.

Leaving Safe Mode

A straightforward restart is typically sufficient to exit Safe Mode in Windows 11. You can do this by clicking the Start button, selecting the Power icon, and then choosing Restart. This action should reboot your system into its standard operating mode, restoring all personalized settings and functionalities.

However, there are instances where the system may persist in Safe Mode despite a restart. In such cases, manual intervention is required to reset the boot configuration:

1. Open the Run dialog box by pressing the Windows key + R. 

2. Type msconfig and press Enter to launch the System Configuration utility. 

3. Navigate to the 'Boot' tab.

4. Uncheck the 'Safe boot' option under Boot options. 

5. Click 'Apply', then 'OK'. 

6. Restart your computer. 

This process modifies the boot settings to ensure that Windows 11 starts in its normal mode. 

Safe Mode for System Restore in Windows 11

Integrating System Restore with Windows 11's Safe Mode offers a method for addressing system issues, such as crashes or irregular behaviour following software installations. 

Using Safe Mode, which runs with minimal drivers and services, allows you to perform a System Restore without interference from third-party applications or problematic drivers, facilitating a smoother recovery process.

Benefits of Using System Restore in Safe Mode

Using System Restore in Safe Mode is useful for resolving issues caused by recent updates or drivers. It allows you to revert to a stable state with minimal risk, as only essential system files and services operate during restoration.

Steps to Perform System Restore in Safe Mode

Performing a System Restore in Safe Mode is a reliable method to resolve software-induced problems, potentially saving time that might otherwise be spent on manual troubleshooting.​

After clicking Restart, your PC will reboot and display a numbered list of startup options. You cannot use your mouse on this screen; you must use the physical keyboard.

Press the number or Function key corresponding to your desired mode:

• Press 4 (or F4) for Standard Safe Mode.
• Press 5 (or F5) for Safe Mode with Networking (drivers for Wi-Fi/Ethernet).
• Press 6 (or F6) for Safe Mode with Command Prompt.

Whichever option you choose, your machine will immediately load into the Safe Mode environment.

Considerations

System Restore is a useful tool, but it is important to understand its limitations. It may not resolve issues caused by hardware malfunctions or severe malware infections. 

While System Restore does not affect personal files, it can remove recently installed applications and drivers. Therefore, it is wise to regularly back up important data and ensure that System Restore is properly enabled and configured on your system.

The Singapore government is expanding its bug bounty programme to enable which white hat hackers to earn up to $5,000 for vulnerabilities they report through HackerOne.

The Government Technology Agency (GovTech) has launched a new Vulnerability Rewards Programme (VRP) as part of its Government Bug Bounty Programme (GBBP) and Vulnerability Disclosure Programme (VDP) which it says will supplement its suite of cyber security capabilities.

The VRP aims to continuously test a wider range of critical ICT systems necessary for the continuous delivery of essential services in the country’s digital economy, the government stated.

The programme offers monetary rewards ranging from $250 to $5,000 to white hat hackers depending on the severity of vulnerabilities discovered. It is also offering a special bounty of $150,000 for the discovery of vulnerabilities that could cause “exceptional impact on selected systems and data”, which is benchmarked against other bounty programmes conducted by global tech firms like Google and Microsoft.

“Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities,” said Lim Bee Kwan, assistant chief executive for governance and cybersecurity at GovTech.

“The new Vulnerability Rewards Programme will allow the Government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure Smart Nation.”

Currently, the programme will cover three systems, Singpass and Corppass (GovTech), Member e-services (Ministry of Manpower), and Workpass Integrated System 2 (Ministry of Manpower), with more critical ICT systems set to be added to the programme in the future.

The government said that only white hat hackers who have met strict criteria will be allowed to participate, as “these are systems that are critical to the delivery of essential government services”. The checks will be carried out by HackerOne and registered participants will carry out security testing through a VPN, which will also be provided by the bug bounty company.

Google has announced the launch of a new bug bounty platform that will make it easier for vulnerability hunters to submit issues.

Available under bughunters.google.com, the platform brings together all of the tech giant’s vulnerability reward programmes (VRP) – Google, Android, Abuse, Chrome, and Play – with hunters able to submit issues using a single intake form.

Moreover, the new platform will provide more opportunities for interaction with other hunters through gamification, including awards and badges for certain bug-reporting achievements.

Google has also improved its VRP leaderboards, which will now be “more functional and aesthetically pleasing”, as well as show the best hunters per country, making it easier to use the results to boost a CV when applying for a job in tech.

The new platform also provides greater emphasis on research and education, making it easier for hunters to publish their bug reports in order to share their knowledge. Hunters will also be able to improve their skills through the newly-launched Bug Hunter University, which includes courses on how to submit a successful vulnerability report.

Research papers on the security of open source will be eligible for a reward, just like open source software patch submissions, while hunters improving security in open source programmes will be eligible to apply for a grant to better secure their own projects.

Commenting on the announcement, Google VRP technical programme manager, Jan Keller, said that when Google launched its “very first VRP” over a decade ago, no one knew “how many valid vulnerabilities – if any – would be submitted on the first day”.

“Everyone on the team put in their estimate, with predictions ranging from zero to 20. In the end, we actually received more than 25 reports, taking all of us by surprise,” he added.

Three years later, the programme was expanded to include open source as well as Google Android and Apache.

“Since its inception, the VRP programme has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team. That is why we are thrilled to bring you this new platform, continue to grow our community of bug hunters and support the skill development of up-and-coming vulnerability researchers,” said Keller.

Microsoft has confirmed that its recent Patch Tuesday round of fixes for Windows 10 has introduced a bug that’s causing issues when users try to print or scan using smart cards for authentication.

As part of the wave of updates released on 13 July, Microsoft attempted to fix an issue affecting printers that were connected to machines through USB connections. However, after installing the updates on domain controllers (DCs), administrators might find that some multifunctional printers will fail to print when using smart card (PIV) authentication.

These ID cards are often used in secure environments and workplaces with contactless card readers for gaining entry to certain areas and are also attached to devices such as printers to authenticate identities prior to their usage. The affected machines are printers and scanners that aren’t compliant with section 3.2.1 of RFC 4556 spec, according to Microsoft.

“If you encounter this issue with your printing or scanning devices, verify that you are using the latest firmware and drivers available for your device,” a Microsoft advisory said. “If your firmware and drivers are up-to-date and you still encounter this issue, we recommend that you contact the device manufacturer.

“Ask if a setting or configuration change is required to bring the device into compliance with the hardening change or if a compliant update will be available.”

The firm confirmed it’s working on a temporary mitigation, but this isn’t yet available to share. This should allow printing and scanning on affected devices, allowing time for manufacturers to release compliant firmware and drivers for their devices.

This issue might cause a nightmare for workers in certain office environments that rely on smart card-compatible printers. It follows a string of issues in Windows deployments this year, including a string of vulnerabilities detected in the Print Spooler component.

For example, users encountered several printer-related problems in the Patch Tuesday round of fixes released on 9 March this year, according to Neowin. Some instances even resulted in users encountered a blue screen of death when trying to print as a result of driver conflicts. These were subsequently fixed on 15 March in an emergency fix.

Google has fixed a serious bug in a Chrome OS stable channel update released earlier this week that locked Chromebook users out of their machines.

The verification error, present in version 91.1.4472.165, came as a result of a single character typo in a string of code in Chrome OS’s Cryptohome VaultKeyset, which is the portion of the operating system that holds user encryption keys.

The string in question was a conditional statement that included a single ampersand, ‘&’, instead of two ampersands, ‘&&’, which is the AND operator in C++. As a result, the conditional statement was broken and meant that Chrome OS was unable to check user passwords against those stored.

This meant, in practice, that all users who had updated to 91.1.4472.165 were met with error messages, even if they had entered the correct password to access their user account. For some users, their devices were even stuck in a boot loop that meant they couldn’t even reach the login screen.

Google rolled out the buggy update through its stable channel last weekend, which bypassed several of its testing channels including the ‘canary’, ‘dev’, and ‘beta’ channels.

It was then almost immediately met with widespread complaints on social media platforms such as Reddit. There were several threads and hundreds of posts on the r/chromeos page from users reporting they were unable to access their machines properly, alongside messages warning others not to update to the latest version of Chrome OS.

Google’s engineering team quickly identified the bug and halted the rollout of the Chrome OS update on Tuesday, promising a new version the following day. In the meantime, the team recommended either factory resetting the device or rolling back the Chrome OS device to a previous version via USB. The firm released version 91.1.4472.167 the next day.

This is the second major bug that’s slipped into the stable channel for Chrome OS updates this month. Another bug that slipped into a final release caused extremely high CPU usage spikes, according to Android Police.

Microsoft has said it awarded over $13.6 million (£9.87 million) in rewards to security researchers participating in its public bug bounty programmes over the last 12 months.

Between 1 July 2020 and 30 June 2021, over 340 security researchers from across 58 countries participated in the tech giant’s 17 software bug hunts, reporting a total of 1,261 valid vulnerabilities.

The number of participating researchers grew by at least a dozen since the same period last year, when Microsoft awarded $13.7 million to 327 security researchers. Since then, the tech giant has added two more bug bounty programmes, including one for its Teams desktop client with potential rewards of up to $30,000, and saw the number of vulnerability reports increase by 35.

However, despite the reward amount tripling between 2019 and 2020, 2021 saw a slight decrease, of around $100,000.

Over the last 12 months, the highest number of bug reports were submitted from security researchers based in China, the US, Israel, and India. Although the average reward was over $10,000 (£7,260), the largest payout – $200,000 (£145,000) – was awarded for a vulnerability reported in Microsoft’s OS virtualisation technology, Hyper-V, under the Hyper-V Bounty Programme.

Microsoft Security Response Center members Jarek Stanley, Lynn Miyashita, and Madeline Eckert thanked “everyone who shared their research with Microsoft this year and for their partnership in securing millions of customers”, in a statement on the company’s blog.

“We’re constantly evaluating the threat landscape to evolve our programmes and listening to feedback from researchers to help make it easier to share their research. This year, we introduced new challenges and scenarios to award research focused on the highest impact to customer security.

"These focus areas helped us not only discover and fix risks to customer privacy and security, but also offer researchers top awards for their high-impact work,” they said, adding that the Microsoft Security Response Center will share “more bounty programme updates and improvements in the coming year”.

The title of the Most Valuable Security Researcher 2021 is to be announced in August.

Security researchers have warned of a critical flaw in the Atlassian project and software development platform that hackers can use to take over an account and control some of the apps connected through its single sign-on (SSO) capability.

According to Check Point Research (CPR), hackers could exploit the flaw to access Atlassian’s Jira, a bug-tracking and agile project-management tool used by over 65,000 customers, including Cisco, Pfizer, and Visa.

The flaw focuses on Atlassian’s use of SSO to ensure continuous navigation between subdomains for related products, such as Jira (jira.atlassian.com) and Confluence (confluence.atlassian.com). This creates a potential attack scenario involving injecting malicious code into the platform, then leveraging a session fixation flaw to hijack a valid user session and take control of an account.

Researchers proved that account takeover was possible on Atlassian accounts accessible by subdomains under atlassian.com.

To exploit the flaw, hackers would have to lure a victim into clicking on a crafted link coming from the “Atlassian” domain via social media, a fake email, or a messaging app, etc. By clicking on the link, the payload would send a request on the victim’s behalf to the Atlassian platform, which would perform the attack and steal the user session. Then the hacker logs onto the victim's Atlassian apps associated with the account, gaining all the sensitive information stored there.

“What makes a supply chain attack such as this one so significant is the fact that once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his attack. This can create severe damage which will be identified and controlled only much after the damage is done,” said researchers.

Lewis Jones, threat intelligence analyst at Talion, told ITPro that successfully exploiting these flaws could result in a supply-chain attack whereby an attacker can take over an account, use it to perform unauthorized actions, such as edit Confluence pages, access Jira tickets, and even inject malicious implants to stage further attacks down the line.

“Furthermore, if an attacker gains access to a Jira account, the attacker can proceed to gain control of a Bitbucket account which could lead to an attacker being able to pilfer credentials. This could grant them permissions to access or alter source code, make the repository public, or even insert backdoors,” he said.

“Whilst details have recently emerged, a fix for the flaw was released in May. Users are advised to ensure that updates are implemented as soon as possible, and to continue monitoring for any further developments."

CPR disclosed its research findings to Atlassian on January 8, and Atlassian deployed a fix on May 18.

The Cybersecurity and Infrastructure Security Agency (CISA) plans to launch a crowdsourced bug reporting site serving a range of federal government agencies. The Department of Homeland Security's cyber arm will work with Bugcrowd, a crowdsourced bug reporting site, to launch the project.

CISA will offer the bug reporting platform to federal government agencies. While it won't be a paid bug bounty program, it'll give security researchers a way to report bugs to government organizations through a system that guarantees a response and ensures officials note all bugs.

The deal follows the announcement of Binding Operational Directive 20-01 last September, in which CISA laid out plans to create a vulnerability disclosure policy (VDP). It directed agencies to publish a VDP policy on their websites within 180 days, describing what systems it covers and how security researchers can report bugs. It also mandates timelines for acknowledging and dealing with each bug.

Government technology contractor Endyna will support the reporting platform under a one-year software as a service (SaaS) contract. The arrangement includes an optional extension of up to four years.

The VDP effort has been brewing for a while. CISA originally published the draft of BDO 20-01 in November 2019, inviting public comment on the issue. The final BDO — and the forthcoming program — will carry forward some of CISA's original suggestions, including the mandatory inclusion of all new computing systems in the scope of an agency's VDP.

The directive also set out a two-year deadline for including all internet-accessible systems in agency VDPs.

If nothing else, this should reduce the danger of legal threats against white hat hackers trying to report bugs to federal agencies. It mandates that agencies not issue threatening language as part of their VDP or pursue legal action against researchers trying to report bugs in good faith.

The directive also states CISA won't send any bugs it collects to the Vulnerabilities Equities Process (VEP). VEP is a government initiative that gives intelligence officials the option to store bugs secretly as potential weapons rather than releasing them to the public.

The Pentagon has taken its own approach to vulnerability reporting by offering paid bug bounty programs, including a new one launched this week.

Apple has released security updates addressing zero-day vulnerabilities in its WebKit browser engine, which is primarily used in Safari and any other web browsers available on iOS, as well as Apple Mail and the App Store.

The two vulnerabilities, known as CVE-2021-30665 and CVE-2021-30663, allowed hackers to execute arbitrary remote code execution (RCE) on any device that had visited a malicious website.

CVE-2021-30665 had been reported by Beijing-based security researcher Yang Kang and Bian Liang, who is reportedly a researcher for antivirus provider Qihoo 360 ATA. The researcher who had discovered CVE-2021-30663 opted to remain anonymous.

Devices that may have been exploited by the two bugs include iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, the 7th generation iPod touch, as well as the Apple Watch Series 3 and later.

The security updates iOS 14.5.1 and iPadOS 14.5.1 were released on Monday to remedy the issues, which Apple described as “a memory corruption issue” and “an integer overflow”, which were “addressed with improved state management”.

The latest security update is also a fix for issues with Apple’s new App Tracking Transparency (ATT), which was released with iOS 14.5.

"This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it," Apple stated in its iOS 14.5.1 release notes.

Apple also released an update for macOS Big Sur, labelled 11.3.1.

All three security updates were described as remedies to CVE-2021-30663 and CVE-2021-30665, with the tech giant stating that it “is aware of a report that this issue may have been actively exploited”.

However, the scope of the issue, as well as the number of affected users was not made publicly available. IT Pro has contacted Apple for comment and will update this story when more information becomes available.

The new security updates come just days after iOS 14.5, released on 27 April, which removed default data tracking and made it a requirement for app developers to present users with a pop-up notification asking them to consent to be tracked.

In the months coming up to the release of iOS 14.5, Facebook publicly campaigned against this decision, arguing that it would severely harm the revenues of its advertising partners, many of which are smaller companies.

Microsoft has launched a bug bounty reward programme for its Teams desktop client with potential rewards of up to $30,000.

The reward scheme falls under the new Microsoft Applications Bounty Programme, which so far only covers Microsoft Teams but will be expanded to include others in the near future.

Lynn Miyashita, programme manager at Microsoft Security Response Centre (MSRC), said: “Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats. As much of the world has shifted to working from home in the last year, Microsoft Teams has enabled people to stay connected, organized, and collaborate remotely.

“Microsoft and security researchers across the planet continue to partner to help secure customers and the technologies we use for remote collaboration.”

The programme includes scenario-based bounty awards for vulnerabilities that have the highest potential impact on customer privacy and security. The rewards for this range between $6,000 to $30,000.

There are also general bounty rewards for other valid vulnerability reports for the Teams desktop client, with the rewards ranging from $500 to $15,000. Microsoft will also accept submissions for Teams online services, but those will be rewarded under the Online Services Bounty Program, where rewards are between $500 to $20,000.

Valid reports for Microsoft Teams research are also eligible for a 2x bonus multiplier under the Research Recognition Programme, the company has confirmed. These points contribute to a researcher’s eligibility for the annual MSRC Most Valuable Security Researcher list.

In August 2020, it emerged that Microsoft paid out $13.7m (£10.5m) across 15 bounty programmes during the last 12 months, over three times the amount paid to researchers in the same period during 2018/2019. The biggest single reward was $200,000, with 1,226 eligible vulnerability reports being filed during the period.

Bitcoin trading and lending platform Sovryn has announced its biggest bug bounty program. The announcement comes after the company raised an equivalent of $10 million in bitcoin through its governance token presale.

The bounty, launched in partnership with Immunefi, will offer white-hat hackers a whopping $1.25 million to unearth security vulnerabilities in the Sovryn smart contract.

“Throughout the proposal drafting process for SIP-8, the Sovryn team and community have provided valuable feedback and sharing ideas on how to improve the program, said Immunefi co-founder Travin Keith.

Keith continued, “the program will incentivize white hats to look through the code as well as incentivizing black hats to disclose bugs, instead of exploiting them."

According to the bounty’s official page, payouts will adhere to Immunefi’s vulnerability severity classification system.

For smart contract and blockchain vulnerabilities, the bounties range from $2,200 for low-risk issues to as much as $1 million for critical flaws. Sovryn will cap the $1 million bounties at 10% of the funds at risk.

Sovryn will also pay a bonus for smart-contract- and blockchain-related bugs reported within the first three weeks of the bounty program. The special reward starts at 25% and is split into seven-day rounds. The bonus reduces by five percentage points at the end of each round until it reaches 10% in the final bonus round.

Website and app vulnerabilities have lower payouts that range from $2,200 for medium-severity vulnerabilities to $22,140 for critical issues.There’s no bonus for finding these vulnerabilities in the first three weeks.

Rewards are payable in bitcoin, but the Sovryn team may decide to have “up to 50% of the reward payable in schedule of values (SOV) tokens according to a vesting schedule dependent on the amount paid out.”

Casting light on the most rewarding vulnerabilities, Sovryn said the company is especially interested in receiving news about missing access controls, consensus failures, logic errors, susceptibility to block timestamp manipulation, remote code execution, clickjacking, and cryptography problems.

Sovryn also clarified that in case two or more reports suggest the same vulnerability, only the first complete bug report will receive the reward. “The final reward amount is capped at 10% of the funds at risk based on the vulnerability reported," the company said.

“The Sovryn developer team/community takes security seriously and this successful presale has allowed us to take that to the next level, encouraging thousands of hackers to try to penetrate our decentralized protocol. Forged in the white-hot fire of this testing, the armor of our security will emerge all the strong,” added Sovryn co-founder Edan Yago.

Apple has patched a non-exploitable programming bug in its flagship macOS Big Sur operating system (OS) that could lead to irretrievable data loss.

Usually, before the OS undergoes a major upgrade, it performs a check for how much free space is available. In versions 11.2 and 11.3 of Big Sur, however, this check doesn't work as intended, according to Mr Macintosh, meaning the upgrade will start even if you have 1% of space left.

This means that the upgrade will start anyway and will saturate users’ hard disk space at 100%, with the installer stuck in a boot loop in an attempt to finish the install.

The problem is exacerbated for Mac devices with the T2 security chip and FileVault 2 encryption enabled. For those with a T2 Mac, they will be unable to get into macOS recovery because their password will not work.

Enabling the hard disk encryption software FileVault locks people out due to a failure to accept their passwords in the normal recovery prompts, the Mac researcher showed.

If FileVault is enabled, users will be prompted to enter their admin password before accessing recover, but it won’t be accepted. If users then try to reset their password with a personal recovery key or AppleID, the reset process will fail. Even Target Disk Mode, which turns the macOS device into an external hard drive for another Mac, will fail.

If upgrading from macOS Sierra or later, macOS Big Sur requires 35.5GB of available storage to upgrade. If upgrading from an even earlier release, macOS Big Sur requires up to 44.5GB of available storage.

The range of available hard drive space where the bug would kick users into a boot loop was between 13GB and 35.5GB of free space. This is according to a deep-dive video compiled by Mr Machintosh breaking down the issue and how it manifests.

Thankfully, Apple has released a fresh installer, macOS Big Sur 11.2.1, which now checks for free space properly before applying any major upgrade to the system.

The issue isn’t a new one, with users reporting problems installing Big Sur as far back as November, losing their data in the process.

Microsoft has issued an out-of-band patch for a blue screen of death (BSOD)-causing glitch introduced with the release of this week’s round of Patch Tuesday security fixes.

Some users have reported their devices crashing following the latest update, according to Windows Latest. Dubbed KB4601315, this round of fixes rectified 56 security flaws in Windows 10, including a critical zero-day vulnerability affecting the win32k component, being actively exploited by hackers in China.

Microsoft acknowledged the rollout of KB4601315 caused the BSOD to appear for a handful of users, revealing that devices stopped working when users attempted to connect to a Wi-Fi network through the Wi-Fi Protected Access 3 (WPA3) protocol.

Users will encounter “stop error 0x7E in nwifi.sys” when they attempt to use a WPA3 connection, the company confirmed. The emergency update, dubbed KB5001028, has now been released and should address the issue.

WPA3 is the most recent version of the security standard for wireless networks, introduced in January 2018. This added a number of improvements to security over WPA2, including stronger encryption and mitigations against weak passwords.

The Windows 10 bug caused by this week’s Patch Tuesday update should not affect too many devices considering WPA3 has yet to be adopted in the mainstream. Many devices with WPA3 support have been manufactured, but organisations and individuals across the world haven’t yet necessarily changed their WPA2 networking equipment.

Although the WPA3 standard isn’t as widely used as it one day will be, Microsoft still deemed this bug severe enough to release an out-of-band fix, something the company only does in emergency situations.

Previous out-of-band updates have normally been issued to fix critical flaws that render Windows devices vulnerable to exploitation by hackers.

Microsoft released emergency patches for high-risk Windows 10 and Windows Server 2019 remote code execution flaws affecting Windows Codecs Library in July 2020, for example. The firm also issued out-of-band updates to fix two further remote code execution bugs affecting Windows Codecs Library again as well as Visual Studio Code in October.

Google has released an updated version of its Chrome web browser following reports of a zero-day vulnerability being exploited in the wild.

Version 88.0.4324.150 for Windows, Mac and Linux contains only one patch which is aimed at a memory corruption bug in Chrome’s V8 JavaScript engine, known as CVE-2021-21148.

The vulnerability, marked as high risk, was reported on 24 January by security researcher Mattias Buelens, who is also a lead software architect on THEOplayer.

Google Chrome technical program manager Srinivas Sista said that the tech giant is “aware of reports that an exploit for CVE-2021-21148 exists in the wild”. He didn’t provide any additional details about the zero-day vulnerability due to risk of further exploitation, noting that the majority of users hadn’t yet been updated with a fix.

However, ZDNet notes that the date on which Google says the bug was reported, January 24, is just two days after Google's Threat Analysis Group reported a hacking campaign carried out by North Korean hackers against the cyber security community. It's believed this campaign may have relied on zero-day exploits in Chrome and Internet Explorer.

Chrome version 88.0.4324.150 has begun to roll out to users across Windows, Mac and Linux systems. Users can check if their Chrome browser is up to date by following these steps:

1. Open your Chrome browser and look the three vertical dots on the top right corner
2. Green means the update it less than two days old
3. Orange means the update is about four days old
4. Red means the update is a least a week old
5. If the dots are coloured, click them to open the menu
6. Click “Update Google Chrome”
7. Exit your Chrome browser and reopen it to complete the update.

Google was forced to deal with another Chrome zero-day vulnerability in October of last year, when its Project Zero security team discovered that hackers were exploiting the bug to attack Chrome users’ systems.

The vulnerability, a memory corruption bug in the FreeType font-rendering library, prompted the tech giant to release the Chrome OS 86.0.4240.112 update, which addressed the detected zero-day security flaw on Google Chromebooks.

Microsoft has released a fix for the zero-day remote access exploit recently uncovered in its Defender antivirus service.

The fix arrives in the company's monthly set of security patches, known as 'Patch Tuesday', which included patches for a total of 83 vulnerabilities across a wide range of products, including Windows, Azure and other Microsoft services.

The zero-day exploit is tracked as CVE-2021-1647 and is described as a remote code execution (RCE) bug that allows threat actors to embed code on vulnerable devices by tricking users into opening a loaded document on a system with Microsoft Defender installed.

Microsoft said that despite exploitation being detected in the wild, the technique was not functional in all situations, suggesting that it is still at a 'proof-of-concept' stage. However, the company warned that the code could evolve into more reliable attacks.

To protect against any future attacks, Microsoft has released patches for the Microsoft Malware Protection Engine, which will be installed automatically unless blocked by system administrators.

Alongside the Defender zero-day bug, the tech giant has also released a patch for a flaw in the Windows splwow64 service. This was tracked as CVE-2021-1648 and could be used to elevate the privileges of attack codes. This hasn't been exploited in the wild, according to Microsoft, but system admins have been advised to apply the patches to avoid any future problems.

Microsoft is not the only firm starting 2021 with patches, as Adobe has released its first major batch of security fixes. On Tuesday, the software firm released a number of security advisories for vulnerabilities in seven different products: Photoshop, Illustrator, Animate, Bridge, InCopy, Captivate and Campaign Classic.

The first of these fixes have already been applied to the Photoshop image creation software on Windows and macOS-based machines. It is tracked as CVE-2021-21006 and can be used to trigger arbitrary code execution.

The UK government’s COVID-19 contact-tracing app was patched last week to fix a bug that meant the system failed to send notifications to thousands of users who should have been warned to self-isolate.

The Test and Trace app, which is supposed to be a core part of the government’s national coronavirus response, hasn’t been working properly since its late September launch because it was set to the wrong sensitivity.

Users whose “risk score” should have triggered an alert, due to possible exposure among their contacts, were not alerted to either get a test or self-isolate due to the error, according to the Times.

As a result, “shockingly low” numbers of users had been sent warnings since the app was released, according to a government source, with Android users among those more likely not to have been sent a notification when they were supposed to.

An update to the app, released last week, fixed both this error, as well as another bug in which users were notified about a “potential exposure” only for the message to disappear without a trace, and without any further details.

The risk threshold is calculated for each user and for each possible COVID-19 exposure using various factors including distance, as well as the infectiousness of the person who has tested positive. The system then works out the overall risk to each applicable individual, and sends out a notification if it exceeds the threshold.

This threshold was due to be lowered when the app launched from 900 to 180, although this didn’t happen until the patch was launched last week. This is according to a blog written by the head of product for the NHS COVID-19 app Randeep Sidhu and the director of product for Test and Trace, Gaby Appleton. Due to a new statistical algorithm in use by the app, the risk threshold is being lowered to 120.

Although 19 million people now use the app, officials have refused to reveal how many people have been told to self-isolate, the Times report added.

The NHS app has suffered a disastrous and long-drawn-out launch, having first been promised in April 2020 and delayed several times due to various concerns, including potential security risks as well as compatibility issues.

The original idea was to pursue the decentralised Google and Apple API, which the majority of national COVID-19 contact tracing apps are powered by. The government then ditched this in favour of developing its own centralised app, although ran into issues when it was trialled on the Isle of Wight and was eventually abandoned in favour of a manual national contact tracing scheme.

The government then pivoted back to using the Google and Apple API to power its contact-tracing smartphone app, which eventually launched on 24 September. Its release was far from the smoothest, however, with fears initially that it would not be compatible with a large swathe of iOS devices.

A fix was also needed two days after launch when it was revealed that tens of thousands of NHS tests were not compatible with the app’s current build version,

Google has discovered htat the latest versions of Chrome and Chrome OS contained a zero-day security flaw.

Project Zero, Google’s security team responsible for finding these vulnerabilities, discovered hackers were using the bug to attack Chrome users’ systems. Google patched Chrome’s flaw a few days ago, and has now rolled out a fix for Chrome OS.

Today’s Chrome OS 86.0.4240.112 update addresses the detected zero-day security flaw on Google Chromebooks. The vulnerability was a memory corruption bug in the FreeType font-rendering library.

Other functional changes in the Chrome OS update include fixes for the 'Clear all' button and 'Pairing lost' notification, and flags for modifying the protection level against Spectre.

If you’re uncertain whether your Chrome OS is up to date or not, here’s how to find out if there’s a Chrome OS update:

1. Click the “Settings” gear icon on the lower right corner of your screen
2. Click “About Chrome OS” on the bottom of the left panel
3. Find your Chrome OS version under “Google Chrome OS”
4. Click “Check for updates”
5. Your Chromebook will automatically download an update if one’s available
6. Restart your Chromebook to complete the update

Two days ago, Google also launched Chrome version 86.0.4240.111, which included a patch for Chrome’s zero-day security vulnerability.

Users should have the Chrome patch by now, but you can check if your Chrome browser is up to date with these steps:

1. Open your Chrome browser and look the three vertical dots on the top right corner
2. Green means the update it less than two days old
3. Orange means the update is about four days old
4. Red means the update is a least a week old
5. If the dots are colored, click them to open the menu
6. Click “Update Google Chrome”
7. Exit your Chrome browser and reopen it to complete the update

A zero-day security vulnerability is a previously unknown software flaw that would be of interest to the software developer or vendor. Cybercriminals and hackers can exploit this flaw to attack users, computer programs, data, other computers or a network.

A cumulative Windows 10 update released as part of this week’s Patch Tuesday round of fixes may be causing incompatibility issues with certain versions of legitimate drivers.

The change Microsoft has implemented, as part of the update tagged KB4579311, aims to tighten up the verification standard in Windows 10 for driver software. This has been rolled out to minimise the chances of malware exploiting vulnerable or out-of-date drivers, and fully compromising systems.

Windows 10 will prevent users from applying driver updates if the operating system cannot verify the software publisher, displaying two error messages when this happens. Users will first be informed that Windows 10 cannot verify the driver software, and secondly that no signature was present in the subject. These errors suggest that Windows did not recognise the formatted catalogue file in the driver validation, Microsoft has disclosed, and that installation therefore won’t be successful.

While this measure has been introduced to prevent potentially vulnerable drivers from being installed on machines, and therefore heightening the risk of exploitation by malware, the tighter standards could hit legitimate software. Older versions of existing drivers, for example, may not pass the new checks.

Should users encounter these errors when attempting to update their drivers to legitimate software that cannot be verified, Microsoft has recommended that they contact the driver manufacturer. The only way around the glitch is for the device manufacturer to re-upload the driver, or provide a more up-to-date version of the software, in which the catalogue file is formatted correctly.

Microsoft released up to 87 security fixes as part of its routine Patch Tuesday updates yesterday, including fixes for 11 critical vulnerabilities. Among these was a ‘wormable’ remote code execution flaw affecting the TCP/IP component of Windows 10 and Windows Server 2019, rated 9.8 on the CVSS scale.

Apple has paid a group of ethical hackers $288,500 (£222,813) for finding and disclosing critical vulnerabilities in its network, some of which could have provided access to company infrastructure and iCloud data.

Since 6 July of this year, Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes have worked together as a part of Apple’s bug bounty programme. The team managed to discover a total of 55 vulnerabilities, 11 of which were of critical severity, 29 of high severity, 13 of medium severity, and two of low severity.

The 11 most critical bugs made it possible for the group to access Apple’s infrastructure and use it to potentially steal confidential information such as private emails and iCloud data.

Sam Curry said that the team “found a variety of vulnerabilities in core portions of [Apple’s] infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account" and "fully compromise an industrial control warehouse software used by Apple", as detailed in a blog covering three months of research.

He added that exploits may have also allowed hackers to "take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources".

The 11 vulnerabilities found to be critical were as follows:

• Remote Code Execution via Authorization and Authentication Bypass
• Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
• Command Injection via Unsanitized Filename Argument
• Remote Code Execution via Leaked Secret and Exposed Administrator Tool
• Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
• Vertica SQL Injection via Unsanitized Input Parameter
• Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
• Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
• Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
• Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
• Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys

According to Curry, the “vast majority” of the 55 vulnerabilities have already been fixed.

“They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours),” he added.

Apple has so far paid the team a total of $288,500 for discovering the vulnerabilities, yet they could be awarded another quarter of a million dollars when the tech giant processes the entirety of their report.

Microsoft has publicly released the vulnerability testing tool it uses to detect bugs in its flagship products including the Windows 10 operating system, which has been blighted with glitches in recent months.

After previously revealing it would replace its existing software testing programme, known as Microsoft Security and Risk Detection, Microsoft has made its automated and open source tool available through Github for developers around the world.

This transition to fuzzing, dubbed Project OneFuzz, sits in line with the wider industry’s movement to this method of vulnerability detection. Google, for example, has deployed fuzzing for some time, and even launched a Fuzzing benchmarking tool in March this year for developers to compare the viability of different services.

The technique is known to be a highly effective method for raising the level of security and reliability of native code, and involves developers feeding random excerpts of programming into a bug detection engine.

Project OneFuzz is an extensive fuzz testing framework that can be deployed through the Azure public cloud, and is the same testing framework used to detect bugs in various Microsoft products including Windows, Edge and other projects.

“Microsoft’s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment,” said Microsoft Security’s principal security software engineer lead Justin Campbell and senior director for special projects management Mike Walker.

“The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker’s job more difficult.

Recent advancements have transformed the security engineering tasks involved in fuzz testing native code, with several useful functionalities including crash detection, coverage tracking and input harnessing now baked into fuzzing.

Project OneFuzz has already allowed developers to continuously scan Windows operating system builds for errors and harden updates prior to launch, Microsoft claims. Windows 10, however, has suffered from recent waves of glitches and bugs, particularly as a result of both major and minor updates.

Windows 10’s May 2020 Update, for example, has produced a litany of issues for users of all varieties over the last few months, ranging from strange networking and connectivity issues to problems affecting Lenovo devices specifically.

The latest Patch Tuesday, too, saw Microsoft release 129 fixes across its various products including 23 patches for critical flaws, signalling that big updates have become the new normal for the Windows developer.

Microsoft would hope that the continued deployment of Project OneFuzz would eventually begin to iron out errors and bugs prior to patches and updates being released.

Project OneFuzz gives developers the capability to launch fuzz jobs running from a few virtual machines to thousands of cores. Features include composable fuzzing workloads, built-in ensemble fuzzing, on-demand live-debugging of crashes, and crash reporting notification callbacks, among many others.

The latest round of Windows 10 updates are causing major issues for enterprise users, ranging from performance and networking problems to frequent blue screen of death (BSOD) error messages.

The Windows 10 KB4549951 and KB4566782 updates, lanched on 11 August, have resulted in a range of performance issues and, in some cases, hardware errors, according to a host of user complaints on the official Windows support forum.

The updates were designed to provide a fix for the way Windows 10 stores and manages files, as well as security improvements for how the operating system uses external devices, such as a mouse or keyboard.

However, many users have reported frequent BSOD errors in a variety of contexts since updating, on top of a handful of users experiencing the rarer green screen of death (GSOD) message that only Windows Insiders with preview editions of Windows 10 can see.

Complaints also include slow Wi-Fi and sluggish download speeds, an inability to connect Bluetooth devices, external devices connected via USB not being recognised, as well as data transfer speeds crashing.

BSOD errors appear in ‘Unexpected Store Exception’ contexts, most often caused by hardware component failures, with some users even reporting repeated or looped blue-screen errors.

Although the errors are affecting users with devices from several manufacturers, including Dell and Acer, one seemingly common thread running through the errors is the use of the Hyper-V virtualisation engine. It’s also used by Windows Sandbox, a Microsoft-developed feature that allows for potentially harmful software to be run in an isolated environment without affecting the rest of your system.

It also appears that a disproportionate number of Lenovo device users are experiencing this Hyper-V error, although this has not been confirmed by either Lenovo or Microsoft. A handful of the Windows 10 May 2020 Update bugs reported earlier this year had affected Lenovo hardware exclusively.

“I installed KB4566782 a few days ago. My system is Windows 10 2004, 64 bit, installed on Thinkpad T470,” one user on Microsoft Answers commented.

“As a consequence, I suffered from slow Wi-Fi surfing and very slow (practically zero) downloading speed. After I tried every solution (update drivers, etc) and checked that other devices in my home work fine, today I uninstalled KB4566782. The solution worked and now everything is fine again.”

“19041.450 and 19041.423 (last month's preview) both break my Thinkpad X390 pretty badly when Hyper-V is installed,” another user said on Reddit.

“The Windows Hello camera stops working, and the machine BSODs when going to sleep or when trying to run Lenovo Vantage. The Intel management engine interface device stops working as well. If I uninstall Hyper-V it's fine. If I roll back to prior to 19041.423 it's also fine with Hyper-V still installed.”

These updates initially caused installation issues when they were launched earlier in the month, according to Windows Latest, although these fresh complaints appear to suggest the problems are far worse than initially thought.

IT Pro asked Microsoft whether it was aware of the latest reports.

Microsoft paid out $13.7 million (roughly £10.5 million) across 15 bounty programmes during the last 12 months, more than three times the amount paid out to researchers in the same period during 2018/19.

The company rewarded 327 researchers for identifying bugs and flaws in Microsoft software during the last year, with 1,226 eligible vulnerability reports being filed during the period. The biggest single reward was $200,000.

The overall payout is greater than the $4.4 million (approximately £3.4 million) Microsoft distributed during the same 12-month period across 2018 and 2019, and significantly higher than the $2 million (around £1.5 million) rewarded during 2018.

This is due to a number of significant changes to the bug bounty programme made over the last two years, as well as the COVID-19 pandemic, which has led to a higher rate of engagement among the security community.

Programmes for Microsoft Dynamics 365, Azure Security Lab, Edge on Chromium, and Election Guard were all launched between July and October 2019, while the Xbox bounty and Azure Sphere Security Research Challenge programmes were launched this year.

This is in addition to the Identity and Windows Insider Preview bounty programmes being updated in October 2019 and July 2020, respectively.

“We’re constantly evaluating the threat landscape to evolve our programs and listening to feedback from researchers to help make it easier to share their research,” said Microsoft’s senior program manager leading its Bug Bounty Program, Jarek Stanley.

“This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across 6 continents. In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic.”

The final payout is more than double the $6.5 million Google paid through its bug bounty programme during the 2019 fiscal year, which was distributed among 461 researchers, with the biggest single reward standing at $201,000.

Microsoft didn’t disclose the number of vulnerabilities reported across the previous 12-month period, although the 1,226 flaws reported in the last year may well represent a major increase. This is not only due to the number of new and expanded programmes the company has introduced, but the frequency of flaws identified.

The Windows 10 operating system, for example, has been the source of many complaints over the previous 12 months, particularly with regards to major feature updates such as the recent May 2020 upgrade.

Microsoft warned users against installing the Windows 10 update after its initial two-week delay due to a number of serious issues it had identified, ranging from faulty Bluetooth connectivity to broken mouse input.

Microsoft is investigating reports that Windows 10 is falsely suggesting users who have upgraded to the latest feature update aren’t connected to the internet, despite them experiencing a stable connection.

Bizarrely, this issue, which is being widely reported online, is also causing some desktop apps, such as Cortana and Feedback Hub, to break because these applications believe the device is not connected to the web, according to Windows Latest.

“I am running on Windows 10 Enterprise, Version 2004, OS Build 19041.264,” one user commented. “I recently changed to the Windows Insider Program and updated Windows.

"In the taskbar, the Wi-Fi icon shows No Internet Access, but I have a stable internet connection wirelessly (Ex: I can browse the internet, ping IP Addresses, etc.). Another problem is when I try to open Cortana it also says that I have no internet connection (By the way, I can also open Microsoft's website).”

The bug manifests as the Wi-Fi icon to the bottom-right of the icon tray incorrectly displaying a ‘No Internet Access’ message. While users are still able to browse the internet, as normal, a host of apps seemingly rely on this status message in order to establish connections, with software such as Spotify and even the Microsoft Store failing to reach their servers.

Microsoft is aware of the Network Connectivity Status Indicator (NCSI) issue, according to a contract worker posting on a Microsoft forum, but the bug hasn’t yet been resolved.

Most users experiencing the issue have complained only after upgrading to version 2004, also known as the May 2020 Update.

This is simply the latest in a string of minor, and major, issues that have arisen after Microsoft first launched its major May 2020 Update. This update, in the first instance, was initially delayed after the last-minute discovery of a zero-day flaw.

Microsoft subsequently warned users against installing the May 2020 update until a set of other issues were resolved.

Several issues have since come to light including incompatibility problems with certain Lenovo devices, as well as a Google Chrome flaw whereby the web browser logs users out of their accounts and wipes stored information such as cookies and passwords.

Windows 10 users have reported issues with Google Chrome whereby the web browser logs them out of their accounts and removes stored information such as cookies and passwords.

The Windows 10 May 2020 Update seemingly undermines Google Chrome’s authentication and sign-in features and renders it unable to retain data as it should, according to issues widely noted on internet forums, as reported by Windows Latest.

One user, for example, has reported Chrome not saving cookies and preventing synchronisation after rebooting their system. Others, meanwhile, have complained about similar sign-in issues with various applications such as Edge, OneDrive, and the Chromium-based Battle.Net app.

“I'm dealing with a problem where each time I close chrome, it pauses sync and doesn't seem to use stored cookies (meaning it logs me out of all websites, regardless of if the password is stored in sync or not),” commented one user on a Google forum. “This issue only began after I moved to a new computer (from windows 7 to windows 10) and used restore from an external hard drive to move over all my files.”

The user added they tried a number of workarounds, such as deleting all Chrome-related files, restoring the app as well as downloading the Chrome Beta, none of which seemed to fix the issues.

Two weeks after Microsoft launched the May 2020 Update, which was released with ten major flaws, users have continued to experience issues. Lenovo ThinkPad users, for example, may encounter bugs specific to their machines, including incompatibility with BitLocker and an AMD video driver issue.

The reported issues with Google Chrome’s syncing capabilities, which hasn’t yet been recognised by Microsoft, has emerged alongside incompatibility issues with certain printers. Microsoft confirmed over the weekend that it’s an investigating an issue involving the print spooler erroring or closing unexpectedly when attempting to print. This has come as a result of the minor update KB4557957.

There is some dispute over the root nature of the cause, however, with one user noting on a Microsoft Answer forum, for instance, that the problem was solved after they uninstalled the KB4560960 and KB4561608 updates.

The latest in a string of bug-ridden flagship upgrades, the May 2020 upgrade has seen a bumpy release so far, despite Microsoft giving it a much longer testing lead-time than normal. The update was being beta-tested as far back as February 2019, in light of the botched April 2018 and October 2018 upgrade.

Lenovo has identified five major errors that may occur when users upgrade their ThinkPad devices with the latest version of Windows 10 after testing the May 2020 Update for any compatibility issues.

The latest update to the Windows 10 operating system, dubbed version 2004, was released with a number of significant flaws towards the end of May, with Microsoft warning some users against updating their systems as a result. This was after the developer had to delay the update initially due to the last-minute discovery of a zero-day vulnerability.

Having tested version 2004 with dozens of Lenovo machines, five additional errors that users may encounter have been identified affecting ThinkPad devices.

These range in severity from limitations with video drivers causing obscurities to manifest in certain apps, to some drivers failing altogether. These errors are as follows.

BIOS failure resulting in BSOD

Users with Lenovo ThinkPad P70 devices may inexplicably encounter the infamous blue screen of death (BSOD) after the system is resumed from sleep or hibernate modes. This is suspected to be related to an error in the system BIOS, although it’s still under investigation.

To avoid the BSOD, Lenovo has recommended that users roll back to the previous iteration of Windows 10, dubbed version 1909, until the issue is resolved and a fix is released.

UltraNav driver incompatibility issue

Affecting Lenovo ThinkPad E570p and ThinkPad L570 machines, users may encounter an error message due to a limitation with the UltraNav driver after recovering their machines from a system image.

The error message will be displayed as “Failed to load Apoint.DLL, Alps Pointing device application has stopped”, although ca be resolved by updating the UltraNav driver through Device Manager module.

BitLocker incompatibility

After upgrading from the Windows 10 Autumn 2019 update to version 2004 on a string of ThinkPad devices including the ThinkPad X1 Extreme Gen2, and the ThinkPad E15 Gen 2, users may encounter a yellow warning mark on the disk drive.

To resolve the problem, and to continue to use the BitLocker hard driver encryption feature, users will need to right-click on the disk drive with the warning mark, turn on BitLocker and then turn off BitLocker.

AMD video driver issue

Users with ThinkPad X395 devices may encounter a green border when attempting to resize the window of the Movies & TV application. This is due to a limitation with the AMD video driver fitted into the device, and cannot be resolved using a workaround, although an update for the driver should be available after 15 June 2020.

Failure in the system recovery process

During the system recovery process on the ThinkPad X1 Tablet Gen3, the F11 hotkey may not work normally. Although the target fix date won’t be until 29 June 2020, Lenovo has advised users to navigate to the Keyboard Manager settings in the Control Panel.

Users can navigate to the Lenovo support page for more information.

Thousands using the popular third-party email client, Edison Mail, accidentally gained full access to the email accounts of other users due to a software glitch.

The temporary issue, which occurred when iOS users enabled a new account syncing feature, was widely reported online following the release of an update last week.

This bug, which has now been resolved, inadvertently caused individuals’ inboxes to synchronise with other users’ accounts, leading to a significant violation of privacy.

Edison Mail allows users on hardware manufactured by Apple, including iPhones, iPads and Macs, as well as Android devices, to manage their email inboxes and synchronise them across their hardware. Edison Mail also boasts fast loading times, functionality to categorise messages, and claims to offer an ad-free experience.

An update rolled out on 15 May, however, caused a “technical malfunction” that allowed users to gain full access to inboxes belonging to others, in their entirety. This incident affected 6,480 Edison Mail iOS users, according to the company.

“A security bug was introduced for a small fraction of our iOS users,” the company said. “We have rolled that update back. All impacted users are being logged out and will need to re-login.

“We have resolved the recent security issue in Edison mail for iOS and secured all potentially impacted accounts. We apologize to all and are fixing our processes so this does not happen again.”

The company added that although data from these individuals’ email accounts was exposed to other users, no passwords were compromised. A subsequent patch was issued on 16 May to eliminate this undue exposure.

This patch, as a precaution, prevented all potentially impacted users from being able to access any mail from the Edison app, effectively bricking their apps. This was before a new version of the application was made available on Sunday that restored full functionality for the thousands affected.

Microsoft has released an artificial intelligence (AI)-powered tool to help developers categorise bugs and features that need to be addressed in forthcoming releases.

The software giant’s machine learning system classifies bugs as security or non-security with a 99% accuracy, and also determines whether a bug is critical or non-critical with a 97% accuracy rating.

With ambitions to build a system with a level of accuracy as close as possible to a security expert, Microsoft fed its machine learning model with bugs labelled as security and non-security. Once this was trained, it could then label data that was not pre-classified.

“Every day, software developers stare down a long list of features and bugs that need to be addressed,” said Microsoft’s senior security program manager Scott Christiansen, and data and applied scientist Mayana Pereira.

“Security professionals try to help by using automated tools to prioritize security bugs, but too often, engineers waste time on false positives or miss a critical security vulnerability that has been misclassified.

“At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn’t just apply more people to the problem. However, large volumes of semi-curated data are perfect for machine learning.”

Because the system needs to be as accurate as a security expert, security professionals approved training data before this was fed into the machine learning model. Once the model was operational, they were brought back to evaluate the model in production.

The project began with data science and the collection of all data types and sources to evaluate quality. Security experts were then brought in to review the data and confirm the labels assigned were correct.

Data scientists then chose a modelling technique, trained the model, and evaluated performance. Finally, security experts evaluated the model in production by monitoring the average number of bugs and manually reviewing a random sample.

The mechanism uses a step-step machine learning model operation; first learning how to classify between security and non-security bugs and then to apply a severity rating.

As a result of the level of accuracy, Microsoft now believes it’s catching more security vulnerabilities before they are exploited in the wild.

Development teams can read details in a published academic paper, with the machine learning methodology set to be open-sourced through GitHub in the coming months.

Software giants will release fixes for hundreds of bugs in unison for the second time this year, at a time when IT teams are already under pressure from mass adoption of remote working and surging cyber crime.

The forthcoming Patch Tuesday, on 14 April, will see as many as 500 vulnerabilities released by the likes of Microsoft and Oracle, causing a phenomenon dubbed the ‘Fujiwhara effect’. Such a security event is ordinarily rare, with the last one before 2020 occurring in 2014.

This year has been no stranger to coordinated bug fixes, with next Tuesday representing the second ‘Fujiwhara effect’ in 2020, according to Risk Based Security. This is in addition to a third event scheduled to hit on 14 July.

Such coordination of bug fixes poses a challenge for security teams, who must analyse and prioritise hundreds of disclosures before remediation can even begin.

This coming Tuesday may see as many as 300 to 500-plus fixes released, according to forecasts. This is significantly higher than average, with roughly 60 flaws published per day, normally.

This latest onslaught will also come at a time when employees have begun working from home en masse, and cyber criminals have been empowered by the COVID-19 pandemic to ramp up activity significantly.

“Even for large organizations, processing these new “Patch Tuesday” disclosures can take weeks, and that’s with a well-funded and coordinated team,” said Risk Based Security. “The hours required for IT security teams to collect, analyze, triage, and then address the coming vulnerabilities will be considerable.

“If there wasn’t enough going on already, organizations must somehow manage the coming Vulnerability Fujiwhara Effect despite the current business disruption and pressure on security budgets.”

The ‘Fujiwhara effect’ in meteorology is known as an extreme weather event in which two massive hurricanes collide or merge.

The last cyber security ‘Fujiwhara effect’ on 14 January, saw more than ten major software players participate, including Adobe, SAP, Schneider Electric, VMWare, Intel, as well as Oracle and Microsoft, among others.

The release of so many patches at once, numbering more than 300, saw IT and security teams across the world scramble to implement updates to their business-critical systems.

Among these fixes was a Microsoft-developed patch for an "extraordinarily serious" cryptographic flaw anchored in the crypt32.dll Windows component, with organisations like the US military given advanced access to the fix.

Winding forward some months, organisations are facing greater challenges than arguably ever before, in terms of the economy and the labour market, not to mention cyber security threats increasing significantly over the last few weeks.

The UK’s National Cyber Security Centre (NCSC) this week issued a joint-warning with US cyber security authorities warning businesses of a surge in cyber criminal activity, most of which was attempting to exploit the coronavirus pandemic.

Hewlett-Packard Enterprise (HPE) has warned that some of its SCSI solid-state drives will fail after 40,000 hours of operation.

The “critical” flaw affects drives in HPE server and storage products, including the HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage, and causes the SSDs to brick after exactly 40,000 hours (4 years, 206 days and 16 hours) of use.

HPE said an SSD manufacturer alerted it to the firmware bug and added that, in a scenario where multiple SSDs are installed and put to work at the same time, it’s possible for all disks to break down simultaneously.

The company also warned that the bug is not unique to HPE drives and that other manufacturers SSDs could also be affected.

It’s likely Dell-EMC was also affected, as the company issued an urgent firmware update last month that also mentioned SSDs failing after 40,000 hours.

The catastrophic bug, which would cause data to become unrecoverable once a drive had failed, affects products running a firmware version older than HPD7, HPE says.

The company recommends that users upgrade the firmware to version HPD7 as soon as possible.

“HPE recommends performing an online firmware update on HPE Gen9 servers during minimal I/O activity. This will not require a reboot in most circumstances,” HPE said in an advisory.

“However, in instances where the online firmware update does not complete successfully, an offline update is required. After the flash update completes, the Smart Component will provide a message regarding whether the flash completed successfully.”

Fortunately, HPE said that no affected SSDs have yet to fail as a result of the firmware bug, but it estimates that SSDs that are left unpatched will begin to fail as early as October of this year.

This is not the first time HPE has warned about potentially disastrous flaws affecting its solid-state drives. Back in November of last year, the company sent out a similar message to its customers after a firmware defect in its SSDs caused them to fail after running for 32,768 hours.

The Project Zero security team has expanded disclosure for all bugs to a full 90 days after first being flagged, even if the bug has been fixed early, as part of a number of changes to its policies and objectives.

Previously, its security researchers would disclose a bug that’s been flagged after 90 days have elapsed, or when the bug was fixed, at their discretion.

The Google-run team, however, is trialling 90-day disclosure by default, whether or not the bug has been fixed, unless a mutual agreement is reached between Project Zero and any vendor in concern.

Project Zero’s policy goals have also evolved beyond just ‘faster patch deployment’, to also encompass ‘thorough patch development’ and, among customers, ‘improved patch adoption’.

Extending the disclosure window to 90 days for bugs that have been fixed, meanwhile, will lead to incomplete fixes reported back, and compiled into the original bug report, as opposed to being filed under a new vulnerability. This was also previously done at the discretion of any particular researcher.

“We're constantly considering whether our policies are in the interest of user security, and we believe this change is a further step in the right direction,” said Project Zero manager Tim Willis. “We also think it's simple, consistent and fair.

“We want to make attacks using zero-day exploits more costly. We do this through the lens of offensive vulnerability research and evidence of how real attackers behave.

“This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realised that faster patch development and patch deployment were very important and areas for industry improvement.”

The team has been at the heart of a string of significant bug disclosures of varying severity over the last few years, including, for example, the disclosure in 2018 of a significant Edge browser bug that Microsoft didn't fix within the 90-day window.

Project Zero’s core principles also came under review, with the team prioritising simplicity, consistency and fairness to different vendors, where some don’t get preferential treatment over others.

Its two new core objectives, thorough patch deployment and improved adoption, meanwhile are being added in conjunction to the full extension of the 90-day window as there were concerns that some companies fixed bugs by simply “papering over the cracks”.

By extending the disclosure window to a full 90 days for all bugs, including fixed bugs, Project Zero is hoping that the aim of ‘faster patch deployment’ will no longer lead to compromise on quality if there’s no need to rush getting fixes out.

As a result of extending disclosure to 90 days, researchers are hoping to see more iterative and through patching practices from vendors, and also improve patch adoption since Project Zero is incentivising vendors to offer updates to a large population within 90 days.

Provider of bug bounty support to major global organisations HackerOne has paid one of its members for exposing an internal security breach.

A reward of $20,000 (£15,244) has been given to haxta4ok00, the bug hunter who exposed the mistake committed by a staffer at the company which helps the likes of Uber, Goldman Sachs and the US Department of Defense offer bug bounties of their own.

The bug hunter was potentially able to view the records and private, undisclosed vulnerabilities of HackerOne's biggest clients due to what the company is calling a "human error".

A HackerOne security analyst tasked with verifying disclosure reports from bug hunters sent a URL loaded with their session cookie information which the hunter was able to use to view things on the site only logged-in staffers should be able to.

Sending URLs between analyst and hunter is a routine process, HackerOne said in a report.

"When a security analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report," said HackerOne. "During this dialogue, security analysts may include steps they've taken in their response to the report, including HTTP requests that they made to reproduce.

"In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie," it added.

The company confirmed that the event lasted only a short time and was not carried out with malicious intent. No undisclosed vulnerabilities were stolen, exploited or published as a result of the incident. All copies of potentially sensitive information were deleted.

"Similar to previously disclosed incidents or weaknesses within BugZilla or Google Issue Tracker, exposure of non-public HackerOne reports presents an immediate danger to not only businesses with hosted programs but also effectively all Internet users," said Craig Young, senior security researcher at Tripwire.

"While I commend HackerOne for their response, this incident is yet another reminder of the distinct risk organisations take by using managed vulnerability reporting services like BugCrowd or HackerOne," he added. "The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies (or even criminal actors) to fill their arsenal."

Something that seemed to concern Jobert Abma, co-founder of HackerOne and the individual responsible for following-up with haxta4ok00, was the observation he made regarding the sheer number of pages the hunter opened while accessing a privileged account.

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma. "Would you mind explaining why you did so to us?"

"I did it to show the impact," said haxta4ok00. "I didn't mean any harm by it. I reported it to you at once.

"I apologise if I did anything wrong, but it was just a white hack," the bug hunter added.

The issue was given a CVSS score of 8.3, which is considered "high", not as severe as the likes of BlueKeep, for example.

Google has expanded its Android bug bounty program to match the $1.5 million (£1.17m) payout Apple offers for bugs found in its flagship smartphones.

The Titan M security layer, which features in Google's latest Pixel 4 smartphone, is now included as part of the company's bounty list, with the discovery of a working remote-code execution (RCE) bug being worth a potential $1 million (£776,900).

The bug hunter will be eligible for an additional 50% bonus if the Titan M vulnerability is detected and provided to Google in a developer preview version of Android, taking the maximum reward up to $1.5 million.

Aside from Titan M, Google’s Android Security Reward Program will also continue to offer rewards to researchers who find vulnerabilities in other hardware.

Up to $500,000 (£388,365) will be awarded to those who can find bugs relating to issues such as unauthorised data exfiltration and bypassing of the Pixel’s lock screen. The 50% developer preview bonus also applies to these vulnerabilities.

Google has invested heavily in its proprietary Titan technology in recent years, adding its functionality to many of its products as a more secure method of account authentication compared to 2FA.

It’s designed to offer Google hardware owners better security by assigning a physical security layer to an account, meaning remote attackers can’t intercept authenticator codes or mimic approval actions of the true owner.

Despite the faith that Google has placed in its Titan technology, it has been proven in the past to be less than iron-clad.

Earlier this year, a security flaw was found in a version of Google’s Titan Key, a physical device outside of the Pixel line that authenticates account log-in.

It only affected the Bluetooth pairing protocol needed to pair the key with the device through which the account was being accessed and Google said it would offer free replacements for the faulty units worth $50.

The bounty rewards have been increased to match Apple’s own bug bounty program which itself expanded earlier this year.

Apple also offers a maximum reward of $1 million with a 50% bonus for bugs found during an iOS beta phase.

Apple announced the expansion at Black Hat 2019 along with the news that select researchers could apply for specially crafted iPhones that would make it easier for them to detect vulnerabilities.

Some of the biggest tech firms have joined forces to launch a community-led GitHub scheme in which researchers will hunt down and fix bugs in open-source projects.

The co-operative effort will see security researchers report new vulnerabilities in open source projects using GitHub's newly-developed CodeQL tool. This semantic code analysis engine will let users query code as if it were data, in order to find all variants of a discovered vulnerability, and then share findings with the wider community.

GitHub's Security Lab will also work to build tools to better secure code-bases, more effectively connect the wider security community, and bring developers together as well.

"GitHub's approach to security addresses the whole open source security lifecycle," said vice president for product management and security Jamie Cool.

"GitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version."

The initiative has launched as a 14-strong collaboration between F5 Networks, GitHub, Google, HackerOne, Intel, IOActive, JP Morgan, Microsoft, Mozilla, NCC Group, Okta, Trail of Bits, Uber and VMware.

The team behind Security Lab will dedicate full-time resources into finding and reporting vulnerabilities, and has already found more than 100 issues deemed serious enough to be issued with CVE categorisations.

The CodeQL tool, developed by GitHub, is also being made open-source, with users able to explore reams of open source code to find vulnerabilities, especially different versions of the same vulnerability that can otherwise be difficult to trace.

Developers are also being incentivised to contribute through a bug bounty programme which offers an award of up to $2,500, depending on the severity of the flaw and the quality of the submitted query.

GitHub's initiative is similar in nature to a host of other organisations that have been created in recent years to combat the rising tide of cyber crime, and bolster cyber security in general.

Microsoft, for example, is also a founding member of the CyberPeace Institute, which was established alongside Mastercard and the Hewlett Foundation in September to combat global cyber crime.

Mozilla, Intel and Red Hat among others were also part of a just freshly-launched initiative to make the software development process more secure. The Bytecode Alliance will be an open source community dedicated to creating secure software foundations.

Windows 10 problems can be incredibly frustrating. From simple error alerts to the dreaded 'blue screen of death,' these issues can severely impact productivity and create major challenges for both individual users and businesses.

Despite its popularity, Windows 10 is not immune to bugs and issues. Problems with booting, upgrading, privacy protection, storage management, or a stuck Windows 10 update can disrupt your workflow.

Regularly updating your system, following good cyber security practices, and monitoring system performance can significantly reduce the occurrence of many common problems.

However, when issues inevitably arise, having a trustworthy resource for troubleshooting is essential for quickly resolving them. To assist you in overcoming these challenges, we've compiled a comprehensive list of common Windows 10 problems along with detailed steps to fix them.

Whether you are facing a performance issue, software malfunction, or security concern, our guide offers practical, easy-to-follow solutions to ensure your operating system continues running smoothly, reliably, and efficiently.

Additionally, if your system has become sluggish, you might find solutions in our guide on ways to speed up Windows 10, which can address many issues not listed here.

1. Can't upgrade from Windows 7 or Windows 8

A frequent issue many users have with Windows 10 occurs right at the start when they upgrade from Windows 7 or Windows 8. This tends to be a warning which notifies a user that the 'Get Windows 10' (also known as GWX) app is not compatible.

Alternatively, users could find that the application isn’t showing up at all. Rather annoyingly, this will cause the update to fail. But there’s no need to worry as there are a couple of ways to solve this problem:

• Open the Control Panel and then run Windows Update and ensure that the PC is fully up to date. If updates fail, run the Windows Update Troubleshooter (see below)
• Head to Microsoft's Media Creation Tool. Click 'Download now', save the tool, and run it on the PC you want to upgrade. If this didn't work for you back when Windows 10 launched, try it again now - the tool has received a number of updates since.
• Make sure that hardware Disable Execution Prevention (DEP) is switched on in the BIOS, referring to your motherboard manual for help if you need it. If you still have problems, use the Start Menu to search for 'performance', run Adjust the appearance and performance of Windows, click the Data Execution Prevention tab and turn DEP on for all programs and services, then reboot and try again.

2. Can't upgrade to the latest Windows 10 version

Every now and then, Microsoft releases a new update for Windows 10. Updates tend to provide various bug fixes to help the operating system run smoother, but these can also introduce new and exciting features to Windows 10.

Even though Windows 10 is known as one of Microsoft’s more stable releases, sometimes users of the operating system find it troublesome to update to the latest Windows 10 update available.

Unfortunately, not all users will be able to see if this update is ready, meaning that you’ll have to investigate how the operating system update can be installed manually.

Ahead of carrying out the upgrade, you should see which version of the operating system you’re currently using. This can be found in the 'About Windows' tab in the Settings menu.

Once you're ready to upgrade to the latest Windows 10 version, you can use the Windows Update Tool. Some users see the Media Creation Tool alternative as a better and more reliable option. To access it, simply download and install it before using it to upgrade your device to the latest version.

One thing to bear in mind is that if you run the Media Creation Tool, it may not immediately display any kind of reference that it's upgrading to the most recent version of Windows 10. The tool will ask you if you want the Home or Business version of Windows 10 and, if you have one of these already on your device, the newest build should hopefully be installed.

Also, make sure you've opted to keep the personal files and apps and click 'Install' to keep your data, apps, and most of your settings untouched. Now, when you hit 'Install', it should start installing the most up-to-date version of the operating system.

3. You have a lot less free storage after upgrading

Following a successful Windows 10 installation, the previous operating system may still be lingering and consuming hard disk space.

Unlike many other tech companies, Microsoft lets users upgrade their devices and keep a backup of the important files that make up the previous version of your OS. This is embedded deep in the C:/ drive and acts as a safety net in case you run into issues with the newer OS, or if you simply dislike the new look.

However, if you're in need of the space, it is possible to remove this backup. To do this:

• Click the Windows Start button and type 'Disk Cleanup', which should produce the app in the results
• Once the app opens, a drive selection option should appear next. All you need to do is select the drive your operating system is installed on. The C:/ drive should appear first, as it's more often than not the default drive.
• Hit 'OK' if you're sure this is the drive your operating system was installed on. Windows 10 should then scan your system for a short period before another prompt appears.

• You will now be faced with two choices, which look like a list of files to delete immediately. One option is 'Previous Windows Installation(s)' and the other will be 'Clean up system files' option on the bottom left if this first choice isn't available.
• The operating system will then perform some more calculations and offers a similar-looking prompt window. This time, though, it will give you the option to delete previous Windows installation(s). You might have to scroll down to find it, but it should be taking up a sizeable bit of drive space (in our case 5GB). Tick this option and click 'OK'.
• In the separate message box that appears asking if you're certain you want to send this, click 'Delete Files' and you're done.

4. Windows Update isn't working

Many people have reported issues with Windows Update, whether that's the update getting stuck or simply failing. Check first that you've upgraded to the Windows 10 Fall update (see above, number 2). If you're still encountering problems, download and run the Windows Update Troubleshooter, then reboot and try to update again.

If the problems remain, you might need to get a bit more stuck in. First, check that System Restore is configured (see below, number 7) and create a restore point. With this done, use Win+X and select Command Prompt (Admin), then type 'net stop wuauserv' (without the quotes) and hit Enter, followed by 'net stop bits' and Enter.

You should see confirmations that each service was either stopped or wasn't running. Next, open Explorer and navigate to:

C:\Windows\SoftwareDistribution

Delete its contents including any sub-folders. Now reboot, open Windows Update, and click Check for updates.

5. Windows updates when I don't want it to

If you're anything like us, you set up previous Windows releases so that they wouldn't install updates automatically - one forced reboot is one too many.

There is a workaround for users running Windows 10 Pro: from the Start Menu, search for 'gpedit' and run the Group Policy Editor. Expand Computer Configuration in the left-hand pane and navigate to Administrative Templates\Windows Components\Windows Update.

Double-click Configure Automatic Updates in the list, select the Enabled radio button, and in the left-hand box select 2 - Notify for download and notify for install. Now click OK, and you'll be notified whenever there are updates - unfortunately, they'll be a daily irritation if you're using Windows Defender.

The Group Policy Editor isn't available on Windows 10 Home, but we'd recommend you at least open Windows Update, click 'Advanced options' and select 'Notify' to schedule restart from the 'Choose how updates are installed' list.

While you're here, all Windows 10 users might want to click 'Choose how updates are delivered' and ensure that 'Updates from more than one place' is either off or set to 'PCs on my local network'.

6. Too many unnecessary Windows 10 notifications

Encountering too many notifications in Windows 10 can be overwhelming. The Action Center, located on the right-hand side of the taskbar, consolidates various notifications for easy management.

While this feature is helpful in principle, neglecting to manage it can lead to an overload of both important and trivial notifications. To handle this, open 'Settings' and navigate to 'Notifications & Actions' where you can customize which apps are allowed to send you alerts.

Additionally, Windows 10's default data-sharing settings are not ideal for privacy, so reviewing and adjusting these is crucial.

Access the Settings app via the Start Menu, then go to Privacy. Here, you’ll find multiple options to control which apps can access your camera, microphone, and other sensitive data. This ensures that no apps have access to information you aren’t aware of.

Windows Defender settings should also be checked. Navigate to Update & Security in Settings, then to Windows Defender. Review and adjust settings for cloud-based detection and automatic sample submission according to your preferences.

Wi-Fi Sense, a feature designed to connect your device to networks quickly, raises privacy concerns. To manage this, go to Network & Internet in the Settings menu, select Wi-Fi, then Manage Wi-Fi Settings. Turn off options like Connect to suggested open hotspots and Connect to networks shared by my contacts. This prevents your device from automatically connecting to potentially insecure networks.

Wi-Fi Sense might inadvertently share your network’s credentials with nearby devices, including those not under your control. To prevent this, rename your network’s SSID to end with "_optout." For better network hygiene, allow guests to use a separate guest network and configure all devices to avoid using Wi-Fi Sense. This practice helps maintain a secure and private network environment.

7. Windows 10 shares too much data

Windows 10's default data-sharing settings are often too permissive, so it's important for users to review and adjust them to protect their privacy periodically.

To begin, open the Start Menu and search for the Settings app. Navigate to the Privacy section, where on the left-hand pane, you’ll find various options regarding how your device shares data.

Carefully examine all the categories to determine if you’re comfortable with your apps using services like the camera, microphone, and accessing your account information. This step is crucial to ensure you know which apps have access to your data.

By default, incidentally, the Feedback & diagnostics setting beams ‘enhanced data’ to Microsoft – so turn this off if you’d rather not.

Next, go back to the main settings menu and select Update & Security, then navigate to Windows Defender. Review the default settings for cloud-based detection and automatic sample submission, and adjust them according to your preferences to ensure they align with your privacy needs.

Wi-Fi Sense, a feature designed to connect your Windows 10 device to networks more quickly, can raise privacy concerns. To manage this, enter the Settings menu, choose Network & Internet, then Wi-Fi, and select Manage Wi-Fi Settings. It is recommended to turn off "Connect to suggested open hotspots" and "Connect to networks shared by my contacts." Additionally, disable the option under Paid Wi-Fi services.

Wi-Fi Sense can also share your network’s credentials with nearby devices, including those not under your control, which poses a privacy risk. To mitigate this, rename your network's SSID to end with '_optout'. Providing guests with access to a separate guest network instead of the main one is a good practice. Ensure that all devices and staff disable Wi-Fi Sense before connecting to your primary network.

By regularly checking and adjusting these settings, you can maintain better control over your data and enhance your privacy on Windows 10.

8. Can't access safe mode using keyboard function keys

Safe Mode can be a life-saver in many system-critical problem situations, especially when your device is finding it difficult to start correctly. However, what if one day, you find out that you can no longer activate Safe Mode by pressing the F8 or Shift+F8 keys at boot?

Fortunately, there are a variety of ways to boot into Safe Mode. We've put together a guide on how to boot Windows 10 Safe Mode, which provides alternatives to using the F8 shortcut, or bypassing shortcuts entirely. These include access a boot option inside the Update & Security settings, or using the Left Shift button as part of a restart.

You should also consider setting a Safe Mode as an option in the boot menu, although your system will first need to be configured to support it.

To set this up, you can do the following:

If you ever want to get rid of the Safe Mode entry, you can do it easily by returning here and deleting it.

You can repeat these steps, substituting suitable names in quotes at the Command Prompt, to create shortcuts for Safe Mode with Networking (tick Network rather than Minimal in System Configuration) and Safe Mode with Command Prompt (Alternate shell).

9. System Restore isn't turned on

One of the most puzzling aspects of Windows 10 is that System Restore is not enabled by default, despite its crucial role in system recovery. To activate System Restore, you need to do this manually via the Control Panel.

• Start by searching for "Create a restore point" in the search bar and open the System Properties page from the top result.
• In the Protection Settings section, select your main system drive (usually labeled as 'C:') and click Configure.
• Next, choose the option labeled Turn on system protection and apply the changes.

Once enabled, Windows 10 will automatically create restore points during updates or other significant changes to your system. This feature acts as a valuable safety net, allowing you to revert your system to a previous state in case something goes wrong, thereby helping you recover quickly from unexpected issues.

10. Windows 10 default app settings reset after update

Major operating system updates can sometimes alter your settings, including which third-party apps are used to open specific file types. Instead of keeping your custom settings, the update may revert everything back to the Windows 10 default apps, which can be quite frustrating. Fortunately, it’s easy to restore your preferences without remapping all file types manually.

To resolve this, open the Settings app and click on the System tab. Navigate to Default apps to choose which applications should handle different file types. For instance, you might prefer using Groove Music for music files instead of the default Windows Media Player.

In this section, you can also customize which apps open particular file extensions. For example, you could set VLC Media Player to open MP3 files while keeping Windows Media Player for M4A files or other audio formats. Making these small adjustments helps enhance your overall experience and ensures that your preferred tools are always used.

11. Windows 10 is using 4G data

If you have a Windows tablet or laptop that can use a SIM card, you can access mobile internet on Windows 10 when Wi-Fi isn't available. However, this can lead to unexpected data usage if not properly configured, especially when using a portable hotspot.

To prevent this, go to ‘Settings’, then ‘Network & Internet’. Select ‘Wi-Fi’, followed by ‘Advanced Options’, and enable the ‘Set as metered connection’ option. This setting ensures the operating system minimizes background data usage, such as non-essential updates, protecting your monthly data allowance.

12. Bad localisation, Cortana 'not available'

Windows 10’s localisation options can sometimes be confusing and inconsistent. There have been instances where incorrect localisation settings are carried over from previous versions, such as Windows 7 or Windows 8, even after a proper upgrade. This can lead to issues like incorrect regional formats or Cortana being unavailable in regions where it should be supported.

One common cause of these problems is the system date format being set incorrectly. For example, the system may have defaulted to the standard US date format (MM/DD/YY), instead of a UK format. To correct this, go to the Start Menu and search for Region to access the Region & Language settings. Ensure that the Country or region is set correctly, such as 'United Kingdom', and verify that the language setting reflects your preferred language. Click on Options under your primary language, and if prompted, download the language pack and speech options.

It’s also important to make sure that your keyboard input method matches your region. Incorrect input methods can cause further confusion, so select the correct one and remove any incorrect configurations.

Next, navigate to Additional date, time & regional settings by clicking the back arrow. From there, choose Change input methods under the Language section, select your preferred language, and make sure it is at the top of the list. Click on Options to verify further settings.

For the Windows display language, it may show as either ‘Enabled’ or ‘Available’. If it’s marked as ‘Available’, click Make this the primary language. If the option does not appear, download and install the necessary language pack first. Finally, go back to the language preferences, click on Change date, time, or number formats in the left pane, and ensure the correct language format is displayed.

To complete the setup, switch to the Location tab and confirm that your Home location is correct. Then, click on the Administrative tab and check your System locale. Use the Copy settings option if you want to apply these changes to new user accounts and the Welcome screen, ensuring consistency across the system.

13. I can't save a webpage as an HTML file in Microsoft Edge

In Microsoft Edge, you currently cannot save web pages as HTML files. Previously, Internet Explorer 11 provided a workaround for this feature, but it has since been removed from most Windows 10 PCs. Instead, you'll need to use a browser like Chrome that supports this functionality.

To save a web page as an HTML file in Chrome, click the three dots in the top-right corner of the browser, navigate to ‘More tools’, and select ‘Save page as’. A Windows popup box will appear, allowing you to rename the file and choose to save it as an HTML file. Finally, press the save button to download the page to your computer. This method ensures you can keep a local copy of web pages for offline access or archival purposes.

14. The lock screen gets in the way

If you find the Windows lock screen to be an unnecessary barrier, you can disable it through the Registry Editor. This tweak allows you to bypass the lock screen and go straight to the login screen or desktop, saving time and reducing annoyance.

To start, open the Registry Editor by searching for regedit in the Start Menu. Once the Registry Editor is open, navigate to the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

Look for a key named Personalization. If it doesn’t exist, you will need to create it: right-click the Windows key, select New > Key, and rename it to Personalization.

Next, right-click the new Personalization key, choose New > DWORD (32-bit) Value, and name it NoLockScreen. Double-click on this value and set the data to 1, then click OK to confirm.

After making these changes, restart your computer. The lock screen should now be disabled, allowing for a more streamlined login experience without the extra step of dismissing the lock screen.

15. Boot times are too slow

In Windows 8, Microsoft introduced hybrid boot to shorten start-up times, and this feature was carried over to Windows 10. Normally, when you shut down your PC, all processes are terminated. However, with hybrid boot, the Windows kernel goes into hibernation to speed up the next start-up. While this is useful, it can sometimes be too slow for IT professionals.

To disable hybrid boot, search for ‘Power Options’ in the Start Menu. Open the Control Panel applet from the left pane, and click on ‘Choose what the power buttons do.’ Select ‘Change settings that are currently unavailable,’ then find and deselect ‘Turn on fast start-up.’ Save your changes, and your PC should turn on faster.

Interestingly, some users have found that toggling fast start-up off and then back on can resolve related issues. To do this, follow the previous steps to deselect the function, restart your system, and then re-enable it.

Additionally, if you dual-boot between Windows 7 and Windows 10, disabling fast start-up in Windows 10 can prevent Windows 7 from performing a disk check every time you boot. This happens because with fast start-up enabled, Windows 7 may not recognize that the disks were properly shut down in Windows 10. Disabling this feature ensures smoother transitions between the two operating systems.

16. Windows 10 Sound Problems

Sound issues can be quite common in Windows 10, especially after an update. Here’s how to fix sound problems:

• Check audio output device: Make sure the correct output device is selected. Click on the speaker icon in the system tray and ensure the proper device is chosen from the dropdown list.
• Update audio drivers: Outdated or corrupted audio drivers are a common cause of sound issues. Open Device Manager, expand Sound, video and game controllers, right-click your audio device, and select Update driver.
• Run the audio troubleshooter: Windows has a built-in troubleshooter that can often resolve sound issues automatically. Go to Settings > Update & Security > Troubleshoot and select Playing Audio.

17. Windows 10 startup problems

Startup issues are a frequent source of frustration for Windows 10 users. These problems can range from the system being stuck in a boot loop to errors preventing the computer from starting properly. To address startup issues:

• Use startup repair: Restart your computer and boot into the Advanced Startup menu by holding the Shift key while selecting Restart. From here, select Troubleshoot > Advanced options > Startup Repair.
• Boot in safe mode: If the system is struggling to start normally, try booting into Safe Mode. Hold the Shift key while restarting, and select Troubleshoot > Advanced options > Startup Settings. In Safe Mode, you can uninstall problematic updates or drivers.
• Check boot order in BIOS: Sometimes incorrect BIOS settings can prevent Windows from starting. Enter the BIOS (usually by pressing F2 or Del during startup) and verify that the correct drive is set as the primary boot device.

The Chkdsk function is a tool capable of seeking out and repairing hard drive issues on Windows operating systems. This powerful tool analyses the hard drive to prevent major issues from spiralling out of control and resulting in hardware corruption. The procedure is somewhat in-depth and can take some time to complete.

The Chkdsk function is handy for identifying potential problems with a storage device, and can perform a variety of functions, from fixing issues to assessing the integrity of a system file. Chkdsk is particularly efficient at fixing corrupted master file tables, weak security descriptors, and incorrectly entered timestamps.

The tool is also good for scanning sectors for signs of corruption that may be degrading overall performance. The tool checks specifically for so-called 'soft' or 'hard' bad sectors.

Soft bad sectors are those that have become corrupted during the write process, while hard bad sectors are the result of physical damage to the device. The Chkdsk function is useful for handling these bad sectors, as it's able to repair the soft ones, and isolate the hard ones so they're not used.

How to run Chkdsk

Most Windows systems have the means to use Chkdsk, from Windows 7 to the latest version of Windows 10. Users of legacy Windows systems, including Vista or XP, can also trigger Chkdsk to analyse their hard drives for any bad sectors or issues. The tool can normally be triggered for each hard drive, or even individual partitions, as you boot into windows.

There are a number of ways to run the Chkdsk function. One popular method is to use the Command Prompt, which is handy if you're unable to access the desktop. You can either use Recovery Mode, or the original installation medium to boot and then run Command Prompt in order to run Chkdsk this way.

To repair errors without scanning for bad sectors, select the 'Automatically fix file system errors' box and to repair errors and scan for bad sectors, select the 'Scan for and attempt recovery of bad sectors' box. The utility will notify you if the scan finds any errors or not.