Microsoft Puts All Online Services 'In Scope by Default' for Bug Bounties

Overview

• Announced at Black Hat Europe, the policy takes effect immediately and brings new Microsoft services into scope as soon as they launch.
• Researchers can claim rewards for critical vulnerabilities with a demonstrable impact on Microsoft online services regardless of whether the code is Microsoft, third-party, or open source.
• Microsoft says it will help remediate non-Microsoft bugs, including writing patches or supporting maintainers when no separate bounty program exists.
• The company reports paying more than $17 million to researchers in the past year and is prioritizing high-risk areas such as Hyper‑V with awards up to $250,000.
• The change is framed within Microsoft’s Secure Future Initiative, which also includes steps like disabling ActiveX in Microsoft 365 apps and tightening default settings for legacy authentication.