Microsoft awarded $13.6 million in bug bounties over the last 12 months
Over 340 security researchers from 58 countries reported a total of 1,261 valid vulnerabilities between 2020-2021
Microsoft has said it awarded over $13.6 million (£9.87 million) in rewards to security researchers participating in its public bug bounty programmes over the last 12 months.
Between 1 July 2020 and 30 June 2021, over 340 security researchers from across 58 countries participated in the tech giant’s 17 software bug hunts, reporting a total of 1,261 valid vulnerabilities.
The number of participating researchers grew by at least a dozen since the same period last year, when Microsoft awarded $13.7 million to 327 security researchers. Since then, the tech giant has added two more bug bounty programmes, including one for its Teams desktop client with potential rewards of up to $30,000, and saw the number of vulnerability reports increase by 35.
However, despite the reward amount tripling between 2019 and 2020, 2021 saw a slight decrease, of around $100,000.
Over the last 12 months, the highest number of bug reports were submitted from security researchers based in China, the US, Israel, and India. Although the average reward was over $10,000 (£7,260), the largest payout – $200,000 (£145,000) – was awarded for a vulnerability reported in Microsoft’s OS virtualisation technology, Hyper-V, under the Hyper-V Bounty Programme.
Microsoft Security Response Center members Jarek Stanley, Lynn Miyashita, and Madeline Eckert thanked “everyone who shared their research with Microsoft this year and for their partnership in securing millions of customers”, in a statement on the company’s blog.
RELATED RESOURCE
The Forrester Wave: Top security analytics platforms
The 11 providers that matter most and how they stack up
“We’re constantly evaluating the threat landscape to evolve our programmes and listening to feedback from researchers to help make it easier to share their research. This year, we introduced new challenges and scenarios to award research focused on the highest impact to customer security.
"These focus areas helped us not only discover and fix risks to customer privacy and security, but also offer researchers top awards for their high-impact work,” they said, adding that the Microsoft Security Response Center will share “more bounty programme updates and improvements in the coming year”.
The title of the Most Valuable Security Researcher 2021 is to be announced in August.
-
ITPro Best of Show NAB 2026 awards now open for entriesThe awards are a fantastic opportunity for companies to stand out at one of the industry's most attended shows
-
Mistral CEO Arthur Mensch thinks 50% of SaaS solutions could be supplanted by AINews Mensch’s comments come amidst rising concerns about the impact of AI on traditional software
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
The Microsoft bug bounty program just got a big update — and even applies to third-party codeNews Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.
