Microsoft says it has awarded more than $2,000,000 in bug bounty rewards to security researchers who have reported vulnerabilities via the company’s bounty program.
Given the success of Microsoft’s Bounty Program, the software maker has decided to bring a series of improvements to it, including faster bounty reviews and payments, broadened scope and higher awards, and a new policy for duplicate reports.
Effective January 2019, Microsoft no longer waits until a final fix has been determined to reward the reporter. Instead, it is now awarding the bounties upon completion of reproduction and assessment of each submission, so that researchers are rewarded faster.
Microsoft says it also wants to ensure that payments happen quickly for vulnerability submissions that have successfully qualified for bounty awards.
Thus, it is partnering with HackerOne for bounty payment processing and support. This also means support for additional payment options, including PayPal, crypto-currency, or direct bank transfer in more than 30 currencies. The HackerOne platform also has support for award splitting and charity donations.
While Microsoft bounty awards will be processed through HackerOne, vulnerability reports should still be sent to the Microsoft Security Response Center directly, at [email protected]
The software giant is also increasing rewards for vulnerability reports, including the top award levels for the Windows Insider Preview bounty, which were raised from $15K to $50K, and those for the Microsoft Cloud Bounty program (which includes Azure, O365, and other online services), which went from $15K to $20K.
Microsoft also updated its policy regarding duplicates, and will pay the full eligible bounty award to the first researcher to report a bounty-eligible vulnerability, even if it is internally known. The policy regarding duplicate external reports of the same vulnerability remains unchanged.
“Historically, external reports of internally known vulnerabilities were rewarded 10% of the eligible bounty award as the report did not inform us of a new and previously unknown issue. But understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can,” Microsoft says.