We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center (MSRC). Each year we identify over a thousand potential security issues together, safeguarding our customers from possible threats through the Microsoft Bounty Program.
The Microsoft Bounty Program is crucial to our proactive strategy of incentivized research programs to engage the external research community to partner and protect our customers from security threats. These programs encourage researchers to surface vulnerabilities in high-priority attack surfaces, allowing Microsoft to fortify our products in a continuously changing security landscape, which notably now includes Artificial Intelligence. By following Coordinated Vulnerability Disclosure, security researchers make a vital contribution to enhancing the security that millions of Microsoft customers and users rely on daily.
Our programs cover a wide range of products and services, including Azure, Edge, M365, Dynamics 365, Power Platform, Windows, and Xbox, and more, each with specific guidelines to ensure impactful and safe research. Each program has its own detailed scope, eligibility criteria, award range, and submission guidelines to guide researchers to pursue impactful research without causing unintended harm. These guidelines are tailored to the specific threat model of each product or domain. For detailed information on each program, please visit the Microsoft Bug Bounty Programs website.
As the security landscape and Microsoft’s attack surface evolves, so does the Microsoft Bounty Program. Whether expanding scope to cover new Microsoft products and services or aligning research targets to protect against malicious actors and novel attack vectors, the Microsoft Bounty Program responds with program enhancements continuously.
This past year, the program publicly introduced the following:
Microsoft Identity Bounty Program scope addition to include authenticator applications
Microsoft 365 Insider Program scope expansion to include Microsoft OneNote, an unauthenticated non-sandboxed code execution with no user interaction scenario award, and security feature bypasses
Microsoft Defender Bounty Program launch
Dataverse Integrations Research Grant targeting cross-tenant information disclosure and elevation of privilege vulnerabilities.
Windows Bounty Program Secure Boot limited time bounty award
Dataverse Integrations Research Grant targeting cross-tenant information disclosure and elevation of privilege vulnerabilities
Bounty awards are based on the severity and security impact of the bug, as well as the completeness and accuracy of the report. Awards are also aligned with the areas that matter most to our customers, to encourage research in these high-impact areas.
In the coming year we will continue to improve our programs based on your feedback. We appreciate our global security research community for their ongoing partnership and for sharing their expertise to help secure millions of Microsoft customers.
We look forward to strengthening our existing relationships and building new ones with the global research community.
Stay Secure & Happy Hunting!
Madeline Eckert, Bruce Robinson, and Lynn Miyashita
Microsoft Bounty Team