Microsoft Expands Bug Bounties to Cover Third-Party Flaws Impacting Its Online Services

Overview

• Tom Gallagher announced the policy at Black Hat Europe, saying any critical flaw that demonstrably affects Microsoft’s online services now qualifies for rewards.
• All existing and newly released online services are in scope immediately under the new "in scope by default" approach.
• Reports of critical vulnerabilities in third-party or open-source components that impact Microsoft services are eligible for payouts, with Microsoft offering awards where no other program exists and assisting code owners with fixes, including writing patches.
• Microsoft is steering research toward high-risk areas, with some targets such as Hyper-V drawing potential awards of up to about $250,000.
• The company paid over $17 million to 344 researchers in the past year, and it is exploring early-stage use of AI to help identify and remediate vulnerabilities.