Microsoft this week announced that, over the past 12 months alone, it paid out $13.7 million in rewards as part of its bug bounty programs.
The tech giant is currently running over 15 bug bounty programs covering assets across its cloud services, desktop applications and operating systems, and confidentiality and virtualization solutions, including a program covering the ElectionGuard open source software development kit (SDK).
Security researchers interested in participating in Microsoft’s bug bounty programs may earn rewards of up to $250,000 for critical-severity vulnerabilities in Hyper-V that could lead to remote code execution, information disclosure, or denial of service (DoS).
In fact, the single biggest payout that Microsoft handed out between July 1, 2021, and June 30, 2022, was of $200,000, awarded for a critical flaw in the Hyper-V hypervisor.
During the 12-month period, more than 330 security researchers received rewards via Microsoft’s bug bounty programs, for an average payout of more than $12,000.
Microsoft says it is evolving its bug bounty programs based on feedback from researchers. This year, the company introduced across its programs a new research challenge and new high-impact attack scenarios.
New additions and updates include an Azure SSRF challenge, Android and iOS being added to the Edge bounty program, a recognition program for researchers, the addition of on-premises Exchange, SharePoint, and Skype for Business to the bug bounty program, and expanded Azure, M365, and Dynamics 365 and Power Platform bounty programs with high-impact scenarios.
“The addition of these attack scenarios to our Azure, Dynamics 365 and Power Platform, and M365 bounty programs helps to focus research on the highest impact cloud vulnerabilities including areas like Azure Synapse Analytics, Key Vault, and Azure Kubernetes Services,” Microsoft notes.
Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA
Related: Microsoft Adds Teams Mobile Applications to Bug Bounty Program
Related: Microsoft Launches ElectionGuard Bug Bounty Program