Microsoft is increasing payouts for its Copilot bug bounty program
The tech giant is expanding the Copilot bug bounty program to find flaws in the flagship AI tool
Microsoft has announced an expansion of its Copilot bug bounty program, boosting payouts and adding coverage of WhatsApp and Telegram tools.
The move comes after a set of flaws spotted by researchers in August would have allowed hackers to "confuse" Copilot into leaking confidential data, while a separate flaw spotted by Tenable could have allowed attackers to meddle with Copilot Studio to access data.
Such vulnerabilities in Copilot were spotted by researchers and addressed by Microsoft, rather than first found by hackers and put to use against customers — and that's exactly the way Microsoft would like it to work.
"We believe that collaboration with the security research community is essential to maintaining the integrity and security of our Copilot consumer products," wrote Lynn Miyashita and Madeline Eckert from the Microsoft bounty team in a blog post earlier this month.
Copilot bug bounty scheme eyes wider scope
Microsoft first unveiled a bug bounty program for Copilot in October 2023 for AI in Bing, later expanding it to include the wider suite of Copilot products and more recently to cover a wider range of flaws.
Now, the company is increasing the bounty award payments and the scope of the program, as well as more closely aligning the Copilot severity ratings with its existing online vulnerability classification system.
To start, the payouts of up to $5,000 will now extend to moderate vulnerabilities, which didn't earn a bounty previously; low severity flaws remain unpaid.
"We recognize that even moderate vulnerabilities can have significant implications for the security and reliability of our Copilot consumer products," the blog post added.
"To address this, we are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000."
Bounty awards now vary between $250 to $5,000 for moderate flaws, $1,000 to $20,000 for important flaws, and up to $30,000 for the most serious critical vulnerabilities. Microsoft notes that higher awards are possible.
Beyond the bounties, Microsoft is expanding the reach of Copilot for Telegram and Copilot for WhatsApp, as well as web access via copilot.microsoft.com and copilot.ai.
"This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms," the blog post added.
Vulnerability classification
While the expanded bounties may catch the attention of researchers, Microsoft said the biggest change was the integration of the Microsoft Vulnerability Severity Classification for Online Services, otherwise known as the Online Services bug bar, following previous work with the AI version of that system.
RELATED WHITEPAPER
As part of the move, Microsoft aims to create a more consistent severity framework for vulnerabilities spotted in Copilot.
"By aligning with the Online Services Bug Bar, we ensure that all reported vulnerabilities are assessed with the same rigor and standards applied across Microsoft’s online services," the company said.
"This not only streamlines the evaluation process but also enhances the transparency and fairness of our bounty rewards."
MORE FROM ITPRO
-
Redefining resilience: Why MSP security must evolve to stay aheadIndustry Insights Basic endpoint protection is no more, but that leads to many opportunities for MSPs...
-
Microsoft unveils Maia 200 accelerator, claiming better performance per dollar than Amazon and GoogleNews The launch of Microsoft’s second-generation silicon solidifies its mission to scale AI workloads and directly control more of its infrastructure
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
Microsoft just took down notorious cyber crime marketplace RedVDS – and found hackers were using ChatGPT and its own Copilot tool to wage attacks
News Microsoft worked closely with law enforcement to take down the notorious RedVDS cyber crime service – and found tools like ChatGPT and its own Copilot were being used by hackers.
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
These Microsoft Teams security features will be turned on by default this month – here's what admins need to know
News From 12 January, weaponizable file type protection, malicious URL detection, and a system for reporting false positives will all be automatically activated.
-
The Microsoft bug bounty program just got a big update — and even applies to third-party codeNews Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushback
News A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
