Microsoft has announced an expansion of its Copilot bug bounty program, boosting payouts and adding coverage of WhatsApp and Telegram tools.
The move comes after a set of flaws spotted by researchers in August would have allowed hackers to "confuse" Copilot into leaking confidential data, while a separate flaw spotted by Tenable could have allowed attackers to meddle with Copilot Studio to access data.
Such vulnerabilities in Copilot were spotted by researchers and addressed by Microsoft, rather than first found by hackers and put to use against customers — and that's exactly the way Microsoft would like it to work.
"We believe that collaboration with the security research community is essential to maintaining the integrity and security of our Copilot consumer products," wrote Lynn Miyashita and Madeline Eckert from the Microsoft bounty team in a blog post earlier this month.
Copilot bug bounty scheme eyes wider scope
Microsoft first unveiled a bug bounty program for Copilot in October 2023 for AI in Bing, later expanding it to include the wider suite of Copilot products and more recently to cover a wider range of flaws.
Now, the company is increasing the bounty award payments and the scope of the program, as well as more closely aligning the Copilot severity ratings with its existing online vulnerability classification system.
To start, the payouts of up to $5,000 will now extend to moderate vulnerabilities, which didn't earn a bounty previously; low severity flaws remain unpaid.
"We recognize that even moderate vulnerabilities can have significant implications for the security and reliability of our Copilot consumer products," the blog post added.
"To address this, we are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000."
Bounty awards now vary between $250 to $5,000 for moderate flaws, $1,000 to $20,000 for important flaws, and up to $30,000 for the most serious critical vulnerabilities. Microsoft notes that higher awards are possible.
Beyond the bounties, Microsoft is expanding the reach of Copilot for Telegram and Copilot for WhatsApp, as well as web access via copilot.microsoft.com and copilot.ai.
"This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms," the blog post added.
Vulnerability classification
While the expanded bounties may catch the attention of researchers, Microsoft said the biggest change was the integration of the Microsoft Vulnerability Severity Classification for Online Services, otherwise known as the Online Services bug bar, following previous work with the AI version of that system.
RELATED WHITEPAPER
As part of the move, Microsoft aims to create a more consistent severity framework for vulnerabilities spotted in Copilot.
"By aligning with the Online Services Bug Bar, we ensure that all reported vulnerabilities are assessed with the same rigor and standards applied across Microsoft’s online services," the company said.
"This not only streamlines the evaluation process but also enhances the transparency and fairness of our bounty rewards."
MORE FROM ITPRO
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
HPE selects CrowdStrike to safeguard high-performance AI workloadsNews The security vendor joins HPE’s Unleash AI partner program, bringing Falcon security capabilities to HPE Private Cloud AI
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
