Connect with us

Hi, what are you looking for?



Microsoft Paid Out $63 Million Since Launch of First Bug Bounty Program 10 Years Ago

Over the past ten years, Microsoft has handed out $63 million in rewards as part of its bug bounty programs.

Microsoft on Monday announced that it has paid out $63 million in rewards to the security researchers participating in its bug bounty programs.

The tech giant launched its first bug bounty programs in 2013, when it was accepting reports of exploitation techniques in Windows 8.1 and flaws in the preview version of Internet Explorer 11.

Initially, Microsoft was receiving less than 100 reports annually, from the few dozen researchers who were participating. The company was paying a few hundred dollars in rewards annually.

Now, the company is running 17 bug bounty programs covering Azure, Edge, Microsoft 365, Windows, Xbox, and more, with rewards of up to $250,000 offered for high-impact bugs in the Hyper-V hypervisor.

According to Microsoft, thousands of security researchers from 70 countries are now receiving bug bounties. Students, academics, and full-time cybersecurity professionals are also participating in the company’s bug bounty programs.

Of the total $63 million handed out since 2013, $60 million were paid over the past five years, the company says. Starting 2020, Microsoft has been handing out more than $13 million annually to roughly 300 researchers.

“The data from the programs is a critical part of arming product and security teams across the company to deliver broader security improvements and mitigations beyond one-off bug fixes,” Microsoft says.

Since 2013, Microsoft has changed its bug bounty rewards policies several times, to offer monetary payments even for bugs that had already been discovered internally, and to make it clearer for researchers what vulnerability reports are eligible.

The award amounts were increased as well, concentrating on flaws with increased customer impact, and patching times have been shortened, the tech giant says.

Advertisement. Scroll to continue reading.

“Today, incentives and partnership are baked into our company’s vulnerability disclosure program. Every report that is triaged, assessed, and fixed is reviewed for potential bounty eligibility. There is no need to register, no need to sign up, everyone is invited,” the company notes.

Related: Microsoft Offers Up to $15,000 in New AI Bug Bounty Program

Related: Hacker Conversations: Natalie Silvanovich From Google’s Project Zero

Related: Google Announces Bug Bounty Program and Other Initiatives to Secure AI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.