Microsoft paid almost $14M in bounties over the last 12 months

Image: Franck V.

Microsoft has awarded $13.7 million to security researchers who have reported vulnerabilities over the last 12 months through 15 bug bounty programs, between July 1st, 2019, and June 30th, 2020.

This represents more than three times the amount awarded during the previous year when researchers earned a total of $4.4 million in Microsoft bug bounty awards according to the annual Microsoft Bug Bounty Program retrospective published on the Microsoft Security Response Center blog.

"By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have continued to help us secure millions of customers," the company says.

"Microsoft is committed to continuing to enhance our Bug Bounty Programs and strengthening our partnership with the security research community."

Programs launched over the last 12 months

In 2020 alone, Microsoft launched two new research grants and six new bug bounty programs, receiving 1,226 eligible vulnerability reports from 327 security researchers located in countries from six continents.

In January, the company launched the Xbox bug bounty program that came with a maximum bounty payout of $20,000 for remote code execution vulnerabilities submitted via high-quality reports with clear and concise proof of concepts (POCs).

As Redmond said at the time, researchers submitting vulnerabilities through the Xbox program can also earn higher rewards depending on the flaw's impact and the quality of their reports.

Microsoft launched four other bounty program during the last 12 months, including:

• Microsoft Dynamics 365 Bounty Program, launched July 2019
• Azure Security Lab, launched August 2019
• Microsoft Edge on Chromium Bounty Program, launched August 2019
• Election Guard Bounty Program, launched October 2019

The company also updated the following programs:

• Identity Bounty Program, updated October 2019
• Windows Insider Preview Bounty Program, updated July 2020

Microsoft bounty programs

New research programs

In May, Microsoft launched the Azure Sphere Security Research Challenge, an IoT-focused research program with bounties of up to $100,000 for security flaws found in the Azure Sphere IoT security solution.

Besides the Azure Sphere Security Research Challenge, the company added these additional new research programs since July 1st, 2019:

• Most Valuable Researcher Recognition Program, updated July 2019
• Security Researcher Quarterly Leaderboard, beginning August 2019
• Identity Research Grant, launched January 2020
• Microsoft Security AI RFP, launched in partnership with Microsoft Research March 2020
• Machine Learning Security Evasion Competition, launched in partnership with CUJO AI, VMRay, and MRG Effitas June 2020

On Monday, Microsoft also joined the Open Source Security Foundation (OpenSSF) as a founding member, alongside GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation, and Red Hat.

The goal behind this move is to provide open source developers with the best security tools and with best practice recommendations, as well as lower the time to fix security vulnerabilities within the open-source software ecosystem from months to minutes.

"In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic," Microsoft concluded.

Related Articles:

Google paid $10 million in bug bounty rewards last year

Microsoft announces deprecation of 1024-bit RSA keys in Windows

Visualize your data with Microsoft Visio Pro 2021, now $29.99

Microsoft again bothers Chrome users with Bing popup ads in Windows

Microsoft announces Office LTSC 2024 preview starting next month