Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Paid $2,000,000 in Bounty Rewards in 2018

Microsoft says it has awarded more than $2,000,000 in bug bounty rewards to security researchers who have reported vulnerabilities via the company’s bounty program. 

Microsoft says it has awarded more than $2,000,000 in bug bounty rewards to security researchers who have reported vulnerabilities via the company’s bounty program. 

Given the success of Microsoft’s Bounty Program, the software maker has decided to bring a series of improvements to it, including faster bounty reviews and payments, broadened scope and higher awards, and a new policy for duplicate reports.

Effective January 2019, Microsoft no longer waits until a final fix has been determined to reward the reporter. Instead, it is now awarding the bounties upon completion of reproduction and assessment of each submission, so that researchers are rewarded faster. 

Microsoft says it also wants to ensure that payments happen quickly for vulnerability submissions that have successfully qualified for bounty awards. 

Thus, it is partnering with HackerOne for bounty payment processing and support. This also means support for additional payment options, including PayPal, crypto-currency, or direct bank transfer in more than 30 currencies. The HackerOne platform also has support for award splitting and charity donations. 

While Microsoft bounty awards will be processed through HackerOne, vulnerability reports should still be sent to the Microsoft Security Response Center directly, at [email protected] 

The software giant is also increasing rewards for vulnerability reports, including the top award levels for the Windows Insider Preview bounty, which were raised from $15K to $50K, and those for the Microsoft Cloud Bounty program (which includes Azure, O365, and other online services), which went from $15K to $20K. 

Microsoft also updated its policy regarding duplicates, and will pay the full eligible bounty award to the first researcher to report a bounty-eligible vulnerability, even if it is internally known. The policy regarding duplicate external reports of the same vulnerability remains unchanged. 

“Historically, external reports of internally known vulnerabilities were rewarded 10% of the eligible bounty award as the report did not inform us of a new and previously unknown issue. But understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can,” Microsoft says. 

Related: Microsoft Launches Azure DevOps Bug Bounty Program

Related: Zerodium Offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits

Related: HackerOne Bug Bounty Programs Paid Out $11 Million in 2017

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.