SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Bug Bounty Program Expanded to Third-Party Code

All critical vulnerabilities in Microsoft, third-party, and open source code are eligible for rewards if they impact Microsoft services.
Microsoft bug bounty

Microsoft on Thursday announced a massive expansion to its bug bounty program, which now also covers third-party and open source code.

As long as a critical vulnerability impacts Microsoft’s services, the researcher who finds and reports it is eligible for a bug bounty reward.

“If a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue,” Microsoft VP Tom Gallagher says.

Microsoft explains that this ‘In Scope by Default’ approach aligns with hackers’ view of the attack surface: all security defects matter.

“In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit,” Gallagher notes.

In short, security researchers looking for weaknesses in areas of high interest to threat actors are welcome to submit vulnerability reports through the Microsoft bug bounty program.

Advertisement. Scroll to continue reading.

“If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know. If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code,” Gallagher says.

The update has taken effect immediately, and Microsoft’s bug bounty program now includes all online services by default. New services are considered in scope as soon as they are launched.

The expanded Microsoft bug bounty program is the latest change the company has made as part of the Secure Future Initiative it announced in 2023, and follows the naming of two new Operating CISOs this week.

Related: CISO Conversations: Are Microsoft’s Deputy CISOs a Signpost to the Future?

Related: Microsoft Offers $5 Million at Zero Day Quest Hacking Contest

Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days

Related: Microsoft Unveils Security Enhancements for Identity, Defense, Compliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Neill Feather has been named Chief Executive Officer at Point Wild.

Oasis Security has appointed Michael DeCesare as President.

Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.