Microsoft Launches Defender Bug Bounty Program

Written by

Microsoft has launched another bug bounty program, this time with the goal of making its Microsoft Defender-branded products and services more resilient to attack.

The Microsoft Defender Bounty Program will offer ethical hackers between $500 and $20,000 for “significant vulnerabilities that have a direct and demonstrable impact on the security of our customers.”

The largest sum for a novel vulnerability will go to researchers able to find critical remote code execution bugs and deliver a high-quality report. In-scope vulnerabilities include cross-site scripting, cross-site request forgery, server-side request forgery, cross-tenant data tampering or access, and injection vulnerabilities.

The program will currently cover only Microsoft Defender for Endpoint Public APIs, but it’s expected to be expanded to other offerings over time.

Read more on vulnerability research: Microsoft Pays Another $100K Bug Bounty

The program comes just weeks after Microsoft launched a similar initiative for its AI-powered Bing experience. Microsoft also has bug bounty programs running for SharePoint, Microsoft 365, Skype for Business and on-premises Exchange.

The news comes as the UK’s National Cyber Security Centre (NCSC) announced a new set of non-financial rewards for the most prolific contributors to its Vulnerability Reporting Service (VRS).

The security agency will be awarding NCSC Challenge Coins “to those who have shown themselves to be exemplars of the vulnerability disclosure community.”

The coins feature four designs: Ada Lovelace, who is considered to be the world’s first programmer; Charles Babbage, the father of the computer; Alan Turing, codebreaker and father of modern computing science; and the Bombe, a decryption machine used during World War Two.

The VRS was launched by the NCSC in 2018 to encourage researchers to find vulnerabilities in UK government services. Delivered through the HackerOne platform with help from NCC Group, it is now attracting four times the number of submissions it received five years ago.

What’s hot on Infosecurity Magazine?