November 21, 2023 at 02:13PM
Microsoft has launched a bug bounty program for its Microsoft Defender security platform, offering rewards between $500 and $20,000. The program initially focuses on Microsoft Defender for Endpoint APIs but is expected to expand. High-quality reports of critical severity remote code execution vulnerabilities have the highest reward. Microsoft paid $58.9 million in rewards to security researchers last year.
Key takeaways from the meeting notes:
1. Microsoft has launched a new bug bounty program for the Microsoft Defender security platform, offering rewards ranging from $500 to $20,000.
2. The final reward amount will be determined by Microsoft based on vulnerability severity, impact, and submission quality.
3. The highest reward is for high-quality reports of critical severity remote code execution vulnerabilities.
4. Currently, the bug bounty program is limited to Microsoft Defender for Endpoint APIs but is expected to expand to include other Defender products in the future.
5. The program invites researchers worldwide to identify vulnerabilities and share them with Microsoft’s team.
6. The vulnerabilities have been categorized based on severity and include several types such as remote code execution, elevation of privilege, information disclosure, spoofing, tampering, and denial of service.
7. There are specific reward amounts assigned to each severity level and vulnerability type.
8. The program awards the initial submission if multiple researchers report the same issue, and the highest single payout reward if a submission qualifies for multiple programs.
9. Microsoft paid $58.9 million in rewards to 1,147 security researchers worldwide for reporting 446 eligible vulnerabilities across 22 bug bounty programs.
10. Microsoft also announced a new AI bounty program for the AI-driven Bing experience, with rewards up to $15,000, and expanded its bug bounty program to include on-premises Exchange, SharePoint, and Skype for Business.