Microsoft paid out millions in bug bounties last year
Software giant paid out $2m to security researchers for finding bugs in its products
The Microsoft Bounty Program paid out over $2m to security researchers for finding software bugs in its products in 2018 alone and now the company plans to extend its bug bounty program further with a number of improvements intended to better serve the security research community.
For starters, the Cloud, Windows and Azure DevOps programs will now award bounties upon completion of reproduction and assessment of each submission rather than waiting until the final fix has been determined.
By shortening the time from submission to award determination, Microsoft is helping researchers get their bounty rewards faster which should encourage them to continue to do so and may even help draw more researchers to the cause.
- Github raises bug bounty prize
- EU to fund bug bounty program for top open-source software
- HP launches bug bounty program for printers
The company has also partnered with HackerOne for bounty payment processing and support to delivery bounty awards more efficiently. The hacker-powered security platform will also offer more payment options including PayPal, cryptocurrencies and direct bank transfer in more than 30 currencies.
Increased awards and duplicate submissions
Microsoft is also raising the top payouts in multiple bounty programs including the Windows Insider Preview bounty which increased from $15k to $50k in January 2019 and the Microsoft Cloud Bounty program for Azure, Office 365 and other online services will increase from $15k to $20k.
The scope of the Cloud bounty has also been expanded and the company plans to further expand the scope and rewards across its programs throughout the year.
Microsoft has also updated its policy on duplicate submissions in an effort to reward researchers for their contributions whenever it can. Now the first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award even if the bug is already known internally.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However, there has been no change to the company's policy regarding duplicate external reports of the same vulnerability and rewards are given on a first come first served basis.
- We've also highlighted the best antivirus to help protect all of your devices online
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.