Microsoft Turns Up $250,000 Bug Bounty for Windows

Written by

Hard on the heels of Facebook announcing a $1 million investment in security research, Microsoft has ponied up as well, with a $250,000 top payout for a newly launched Windows Bounty Program.

The program includes all features of the existing Windows Insider Preview, and adds focus areas in mitigation bypass, Windows Defender Application Guard and Microsoft Edge. As part of the initiative, Microsoft is also bumping up the pay-out range for the Hyper-V Bounty Program.

“Since 2012, we have launched multiple bounties for various Windows features,” the software giant said in a blog post. “Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”

The program will pay out anywhere from $500 to the aforementioned quarter-million for critical- or important-class remote code execution, elevation of privilege, or design flaws that compromise a customer’s privacy and security. If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for an RCE in Edge, $25,000 for RCE in Hyper-V).

Facebook earlier this week said that it is increasing the size of its Internet Defense Prize to $1 million, which will be given out in slices in a series of prizes next year. Speaking at Black Hat, Facebook chief security officer Alex Stamos said that battling password re-use and social engineering would be particular focus points. That’s a 10-times increase from what the social network offered before; last year, it awarded just $100,000 in prizes.

What’s hot on Infosecurity Magazine?