In June, Microsoft announced that it would start paying third-party security researchers for their work. Specifically, up to $11,000 was available for critical vulnerabilities discovered in the Internet Explorer 11 beta (a scheme that's now over), and up to $100,000 was available for any technique that bypassed Windows' built-in exploit mitigation schemes.

Four months later, the company has paid its first $100,000 bounty. Researcher James Forshaw from Context Information Security has created an as-yet unpublicized way of exploiting Windows applications that defeats systemic protections such as Address Space Layout Randomization and Data Execution Prevention.

Unlike other bug bounty programs like the one Google runs for its products, Microsoft is not paying out for individual bugs in released software. The company says that there are already plenty of companies willing to pay for such bugs, so there's no particular need to get in on that action. Rather, the $100,000 scheme pays out for entire classes of exploits, in principle enabling Microsoft to provide generic solutions that will make lots of bugs harder to use maliciously.

The $100,000 payout isn't Forshaw's only reward from Microsoft. He was already the biggest beneficiary of the Internet Explorer 11 bounty program, receiving $4,400 for reporting four bugs and $5,000 for reporting a design issue.

Microsoft's response to Forshaw's exploit technique will come at some point in the future. More immediately, the company yesterday issued a patch for an Internet Explorer zero-day flaw that was being actively exploited in the wild.