James Forshaw has made the headlines this week after he managed to find a mitigation bypass flaw in Windows 8.1, which not only helped Microsoft make its operating system more secure, but also brought him a $100,000 (€73,700) reward.
Unfortunately for Forshaw and other security researchers looking for flaws in software products, he’ll receive only a small chunk of this award.
According to a report published by The Guardian, the company he’s currently working for and the taxman will take most of the money, so he’ll barely get any of the bounty.
"When it comes to the bounties given for finding security flaws like this, most of it goes to the company you work for, and even if it didn't, once the taxman has taken his cut it's certainly not a life changing monetary sum - we're not talking retirement money here," Forshaw was quoted as saying.
This isn’t, however, a new thing for security researchers. Forshaw explains that although Microsoft has its very own security department investigating bugs and other issues, third-party researchers are usually more effective in finding glitches because they’re not familiar with the code.
"Microsoft and Google have fairly extensive security departments that are actively looking at finding software flaws in their own products and fixing them, making their products even more secure than what they already are," Forshaw explained.
"However, sometimes it's a case of being too close to the product. When you've got access to the source code, the people that coded it, or maybe you were actually part of the team writing these products, you simply can't see the wood for the trees.”
Microsoft hasn’t commented too much on Forshaw’s rewards, so the company only issued a statement to congratulate him on his finding and the reward he would receive.
"Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps, " Redmond said.