The Microsoft bug bounty program just got a big update — and even applies to third-party code

Microsoft will pay awards to vulnerabilities in third-party or open source code if it impacts its own systems or products

Nicole Kobie's avatar
By
published
in News
Microsoft logo pictured above the entrance to the company's office in New York City, USA.
(Image credit: Getty Images)

Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.

Security flaws continue to plague the digital world: Microsoft recently patched its Edge browser after Google spotted a zero-day being used by attackers in Chrome.

Last year, Microsoft paid out more than $17 million via its bug bounty program, versus $11.8 million by Google via its Vulnerability Reward Program, with payouts in the hundreds of thousands of dollars.

Microsoft has recently expanded its researcher reward programme to increase payouts for Copilot bugs.

But cloud and AI have changed the landscape, so Microsoft is widening the bounty program to include payments for critical vulnerabilities in online services, even if it didn't write the code.

"In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit," wrote Tom Gallagher, VP Engineering for Microsoft Security Response Center, in a blog post.

"The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers. Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved."

Microsoft is calling the new scheme "In Scope by Default," noting that the aim is to widen coverage of its products and automatically include new services as soon as they are released.

"Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit," Gallagher added.

How In Scope by Default works

Microsoft said it will now pay a bounty award for any critical flaw impacting its services, whether the code is "owned and managed" by Microsoft, a third party, or is open source – assuming no other bounty award exists.

"If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know," added Gallagher. "If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code."

Beyond the bounty, Microsoft said it will "do whatever it takes" to fix the flaw.

Microsoft said it hopes that expanding the program to include online domains and cloud services means those outside its existing systems will spend time studying its products.

"Security researchers don’t have our insider perspective and are uniquely placed to think like an attacker," Gallagher said.

The tech giant added that it expects researchers to protect privacy and customer data, and understand its guidelines for responsible security research. Payouts will depend on the severity of the vulnerability.

All the big companies – from Microsoft to OpenAI – offer bug bounties, and some smaller companies are starting to find value too, with awards less costly than regulatory fines and reputational damage.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

MORE FROM ITPRO

TOPICS
Nicole Kobie
Nicole Kobie

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.

Latest
You might also like
View More ▸