November 21, 2023 at 07:03AM
Microsoft has paid out $63 million in rewards to security researchers participating in its bug bounty programs. The company now runs 17 bug bounty programs, with rewards reaching up to $250,000 for high-impact bugs. Thousands of researchers from 70 countries are involved, including students, academics, and cybersecurity professionals. Microsoft states that the data collected from these programs helps improve the company’s security measures beyond fixing individual bugs.
Key takeaways from the meeting notes:
1. Microsoft has paid out $63 million in rewards to security researchers participating in its bug bounty programs since 2013.
2. The company launched its first bug bounty programs in 2013 and initially received less than 100 reports annually.
3. Microsoft now runs 17 bug bounty programs covering various products, including Azure, Edge, Microsoft 365, Windows, and Xbox.
4. Rewards of up to $250,000 are offered for high-impact bugs in the Hyper-V hypervisor.
5. Thousands of security researchers from 70 countries, including students, academics, and professionals, are participating in Microsoft’s bug bounty programs.
6. $60 million of the total rewards were paid over the past five years, and Microsoft has been giving out more than $13 million annually to around 300 researchers since 2020.
7. The data from the bug bounty programs helps improve product and security teams’ overall security and mitigation efforts.
8. Microsoft has made changes to its bug bounty rewards policies over the years to offer payments for internally discovered bugs and clarify eligibility for vulnerability reports.
9. The company’s vulnerability disclosure program now includes incentives and partnerships, with every triaged and fixed report reviewed for potential bounty eligibility.
10. The meeting notes also reference related articles about Microsoft’s AI bug bounty program and an interview with a researcher from Google’s Project Zero.