Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats. Bug bounty programs are one part of this partnership. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), researchers continue to help us secure millions of customers.
Over the past 12 months, Microsoft awarded $13.6M in bug bounties to more than 340 security researchers across 58 countries. The largest award was $200K under the Hyper-V Bounty Program. With an average of more than $10,000 USD per award across all programs, each of the over 1,200 eligible reports reflect the talent and creativity of the global security research community and their invaluable partnership in addressing the challenges of a constantly changing security environment.
*Image provided by HackerOne for dates 7/1/2020 to 6/28/2021
We’re constantly evaluating the threat landscape to evolve our programs and listening to feedback from researchers to help make it easier to share their research. This year, we introduced new challenges and scenarios to award research focused on the highest impact to customer security. These focus areas helped us not only discover and fix risks to customer privacy and security, but also offer researchers top awards for their high-impact work.
- Windows Insider Preview Bounty Program, updated July 2020
- Researcher Recognition Program, updated February 2021
- Microsoft Applications Bounty Program (Teams Desktop), launched March 2021 NEW
- SIKE Cryptographic Challenge, launched June 2021 NEW
A big THANK YOU to everyone who shared their research with Microsoft this year and for their partnership in securing millions of customers. We look forward to sharing more bounty program updates and improvements in the coming year as we continue to invest in our partnerships with the security research community and award.
Be sure to check back next month for the 2021 Most Valuable Security Researcher announcement!
Jarek Stanley, Lynn Miyashita, and Madeline Eckert
Microsoft Security Response Center