We are thrilled to share the results of our collaboration with over 345 security researchers from +45 countries around the world in the past 12 months. Together, we have discovered and fixed more than a thousand potential security issues before they impacted our customers. In recognition of this valuable collaboration, we have awarded $13.8M as part of the industry-leading Microsoft Bug Bounty Program.

Microsoft Bug Bounty Programs are an essential part of our proactive strategy to protect our customers from security threats. These programs incentivize researchers to find vulnerabilities in high-priority areas, helping Microsoft stay ahead of the curve in the ever-evolving security landscape and emerging technologies. By following Coordinated Vulnerability Disclosure, security researchers make a vital contribution to enhancing the security that millions of Microsoft customers rely on.

The bounty programs span across products and services such as Azure, Edge, M365, Dynamics 365 and Power Platform, Windows, Xbox, and more. Each program has its own scope, eligibility criteria, award range, and submission guidelines to help researchers pursue impactful research without causing unintended harm. These guidelines are tailored to the specific threat model of each product or domain. For detailed information on each program, please visit the Microsoft Bug Bounty Programs website.

Bounty updates

We have continued to grow and evolve the Bug Bounty and Research programs in the past 12 months to cover new products, integrations, and expand scope in critical areas, including:

• Intune Bug Bounty research invitation challenge July 2022
• New high-impact research scenarios added to the Microsoft 365 Insider Builds on Windows Bounty Program January 2023
• Microsoft Teams Preview Bug Bounty research invitation challenge January 2023
• New Bing Bug Bounty research invitation challenge March 2023
• New severity classification for Online Services added to the Microsoft 365 Bounty Program April 2023
• New scope added to the Identity Bounty Program June 2023
• Secure boot research scenarios added to Windows Insider Preview Bounty Program July 2023

Bounty awards

Bounty awards are based on the severity and security impact of the bug, as well as the completeness and accuracy of the report. Awards are also aligned with the areas that matter most to our customers, to encourage research in these high-impact areas.

In the coming year we will continue to improve our programs based on your feedback. We appreciate our global security research community for their ongoing partnership and for sharing their expertise to help secure millions of Microsoft customers.

We look forward to strengthening our existing relationships and building new ones.

Stay Secure & Happy Hunting!

Bruce Robinson, Lynn Miyashita, and Madeline Eckert

Microsoft Bug Bounty Team