Microsoft has said it awarded over $13.6 million (£9.87 million) in rewards to security researchers participating in its public bug bounty programmes over the last 12 months.
Between 1 July 2020 and 30 June 2021, over 340 security researchers from across 58 countries participated in the tech giant’s 17 software bug hunts, reporting a total of 1,261 valid vulnerabilities.
The number of participating researchers grew by at least a dozen since the same period last year, when Microsoft awarded $13.7 million to 327 security researchers. Since then, the tech giant has added two more bug bounty programmes, including one for its Teams desktop client with potential rewards of up to $30,000, and saw the number of vulnerability reports increase by 35.
However, despite the reward amount tripling between 2019 and 2020, 2021 saw a slight decrease, of around $100,000.
Over the last 12 months, the highest number of bug reports were submitted from security researchers based in China, the US, Israel, and India. Although the average reward was over $10,000 (£7,260), the largest payout – $200,000 (£145,000) – was awarded for a vulnerability reported in Microsoft’s OS virtualisation technology, Hyper-V, under the Hyper-V Bounty Programme.
Microsoft Security Response Center members Jarek Stanley, Lynn Miyashita, and Madeline Eckert thanked “everyone who shared their research with Microsoft this year and for their partnership in securing millions of customers”, in a statement on the company’s blog.
The Forrester Wave: Top security analytics platforms
The 11 providers that matter most and how they stack up
“We’re constantly evaluating the threat landscape to evolve our programmes and listening to feedback from researchers to help make it easier to share their research. This year, we introduced new challenges and scenarios to award research focused on the highest impact to customer security.
"These focus areas helped us not only discover and fix risks to customer privacy and security, but also offer researchers top awards for their high-impact work,” they said, adding that the Microsoft Security Response Center will share “more bounty programme updates and improvements in the coming year”.
The title of the Most Valuable Security Researcher 2021 is to be announced in August.
