Microsoft Doubles Defense Bug Bounty Payout

Written by

Microsoft is enhancing its Bug Bounty program with bigger pay-outs and the addition of new categories.

The firm used Black Hat 2015 in Las Vegas on Wednesday to announce a raft of improvements designed to encourage more researchers to find flaws in its software – before the bad guys do.

Key among these were a doubling of the Bounty for Defense – from $50,000 to $100,000 – which Microsoft security architect, Jason Shirk, argued will “bring defense up on a par with offense” and “rewards the novel defender equally for their research.”

There are also changes to the Online Services Bug Bounty Program.

Authentication vulnerability bounty payouts will double if they are submitted within the bonus period of 5 August-5 October. This will land researchers with a cool $30,000 at the top end if they find a “great” bug in Microsoft Account (MSA) or Azure Active Directory (AAD).

Shirk explained that Microsoft is also adding RemoteApp to the Online Services bounty program – so it will be covered by all the regular terms and payout rules.

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” he added.

“It has been great to see the reaction from the research community to the Microsoft Edge Bug Bounty, and the Azure addition to the Online Services Bug Bounty Program. I hope to see equal enthusiasm for these new editions.”

It is, of course, in Microsoft’s interest to get greater numbers from the security research community helping make its products more secure.

Just hours after launching, Windows 10 was updated with three security fixes, although these were patches previously released for other versions which happened to come out between the operating system’s RTM and official launch.

Nevertheless, Windows remains a key target for hackers given its huge global market share.

What’s hot on Infosecurity Magazine?