Microsoft has revealed it awarded 330 security researchers a total of $13.7 million during the past year for reporting security vulnerabilities in its systems and products through Coordinated Vulnerability Disclosure.
The software giant released its annual bug bounty review where it says last year, the largest award was $200,000 under the Hyper-V Bounty Program, and the average award was more than $12,000 across all our programs, demonstrating the high-impact research from one of the largest and most diverse global security research communities.
Microsoft says they are constantly evolving its programs and partnerships with security researchers to meet the changing threat landscape. A key element for reaching this level is listening to feedback from security researchers to remove barriers to entry and better facilitate research efforts.
With the release of new research challenges and new high-impact attack scenarios across many of its programs to award research focused on the most critical areas where customer data is involved. The addition of these attack scenarios to Azure, Dynamics 365 and Power Platform, and M365 bounty programs help to focus research on the highest impact cloud vulnerabilities including areas like Azure Synapse Analytics, Key Vault, and Azure Kubernetes Services.
Microsoft Bug Bounty and Research Programs
- Azure SSRF Research Challenge, launched August 2021 [Closed Now]
- Azure Bounty Program, added high-impact research scenarios in August 2021- Qualified submissions are eligible for bounty rewards from $500 to $60,000 USD.
- Edge Bounty Program, added Android/iOS to scope October 2021 - Qualified submissions are eligible for bounty rewards of $250 USD to $30,000 USD.
- Microsoft Researcher Recognition Program expanded recognition categories and swag in February 2022
- Applications and On-Premises Servers Bounty Program, added Exchange, Skype, and SharePoint on-premises April 2022 - Qualified submissions are eligible for bounty rewards from $500 to $30,000 USD.
- M365 Bounty Program, added high-impact research scenarios April 2022 - Qualified submissions are eligible for bounty rewards of $500 to $26,000 USD.
- Dynamics 365 and Power Platform Bounty Program, added high-impact research scenario & Power Platform to scope April 2022 - Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.
With the great success over the past 12 months, Microsoft will continue to invest in and evolve its bounty programs as a part of strengthening these partnerships with the global security research community.
Microsoft said Thank You to all the researchers who shared their research with Microsoft to help and secure millions of Microsoft customers.