Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Expands $100K Windows Bug Bounty Program

Microsoft has expanded its security bounty program in the hopes of keeping sophisticated Windows exploits off the black market.

Microsoft has expanded its security bounty program in the hopes of keeping sophisticated Windows exploits off the black market.

Microsoft will now accept Windows bypass techniques that are have been seen in active use in the wild for its $100,000 bounty program. Before this, researchers were only allowed to submit proof-of-concept exploits that they had discovered as opposed to exploits they found.

“This makes it a…program that encourages incident responders, or anyone else who comes across something in the wild, to be the first to grab it and claim the prize,” blogged Wendy Nather, research director for 451 Research’s enterprise strategy group. “The original creator of a bypass not only has to make sure it evades detection by security technology; he has to protect it from his own confederates, or anyone else who knows about it and thinks $100,000 is pretty nifty.”

Related Podcast: The Story Behind Microsoft’s Bug Bounty Program

The latest announcement is an outgrowth of a rewards program for Windows security that Microsoft established in June. The Windows bounty was one of three programs the company created this summer to promote security; also established was a program to report vulnerabilities affecting the Internet Explorer 11 Preview as well as a reward for up to $50,000 for defensive ideas accompanying a qualifying mitigation bypass submission. The IE program is now closed, though the others remain open.

 “Individual bugs are like arrows,” said Katie Moussouris, senior security strategist lead for Microsoft Trustworthy Computing, in a statement. “The stronger the shield, the less likely any individual bug or arrow can get through. Learning about ‘ways around the shield,’ or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of arrows as opposed to a single bug – hence, we are willing to pay $100,000 for these rare techniques.”

To participate in the expanded bounty program, organizations need to pre-register with Microsoft before turning in a submission. Once a person is registered and signs an agreement, Microsoft will accept any technical write-up and proof-of-concept code for consideration, Mourssouris noted.

“This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets,” she explained in a blog post. “Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.”

Related Podcast: The Story Behind Microsoft’s Bug Bounty Program

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.