SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year

Microsoft this week announced that, over the past 12 months alone, it paid out $13.7 million in rewards as part of its bug bounty programs.

Microsoft this week announced that, over the past 12 months alone, it paid out $13.7 million in rewards as part of its bug bounty programs.

The tech giant is currently running over 15 bug bounty programs covering assets across its cloud services, desktop applications and operating systems, and confidentiality and virtualization solutions, including a program covering the ElectionGuard open source software development kit (SDK).

Security researchers interested in participating in Microsoft’s bug bounty programs may earn rewards of up to $250,000 for critical-severity vulnerabilities in Hyper-V that could lead to remote code execution, information disclosure, or denial of service (DoS).

In fact, the single biggest payout that Microsoft handed out between July 1, 2021, and June 30, 2022, was of $200,000, awarded for a critical flaw in the Hyper-V hypervisor.

During the 12-month period, more than 330 security researchers received rewards via Microsoft’s bug bounty programs, for an average payout of more than $12,000.

Microsoft says it is evolving its bug bounty programs based on feedback from researchers. This year, the company introduced across its programs a new research challenge and new high-impact attack scenarios.

Advertisement. Scroll to continue reading.

New additions and updates include an Azure SSRF challenge, Android and iOS being added to the Edge bounty program, a recognition program for researchers, the addition of on-premises Exchange, SharePoint, and Skype for Business to the bug bounty program, and expanded Azure, M365, and Dynamics 365 and Power Platform bounty programs with high-impact scenarios.

“The addition of these attack scenarios to our Azure, Dynamics 365 and Power Platform, and M365 bounty programs helps to focus research on the highest impact cloud vulnerabilities including areas like Azure Synapse Analytics, Key Vault, and Azure Kubernetes Services,” Microsoft notes.

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Adds Teams Mobile Applications to Bug Bounty Program

Related: Microsoft Launches ElectionGuard Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Why Email Security Keeps Failing (And What Has to Change)
July 8, 2026

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

Virtual Event: 2026 Cloud Security Summit
July 16, 2026

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

Philip Martin has joined Uber as Chief Information Security Officer.

More People On The Move

Expert Insights

No Exploits Required

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.