Microsoft tripled bug bounty payouts to $13.7m last year
The figure is more than double Google’s payout for 2019 and was divided among 327 security researchers
Microsoft paid out $13.7 million (roughly £10.5 million) across 15 bounty programmes during the last 12 months, more than three times the amount paid out to researchers in the same period during 2018/19.
The company rewarded 327 researchers for identifying bugs and flaws in Microsoft software during the last year, with 1,226 eligible vulnerability reports being filed during the period. The biggest single reward was $200,000.
The overall payout is greater than the $4.4 million (approximately £3.4 million) Microsoft distributed during the same 12-month period across 2018 and 2019, and significantly higher than the $2 million (around £1.5 million) rewarded during 2018.
This is due to a number of significant changes to the bug bounty programme made over the last two years, as well as the COVID-19 pandemic, which has led to a higher rate of engagement among the security community.
Programmes for Microsoft Dynamics 365, Azure Security Lab, Edge on Chromium, and Election Guard were all launched between July and October 2019, while the Xbox bounty and Azure Sphere Security Research Challenge programmes were launched this year.
This is in addition to the Identity and Windows Insider Preview bounty programmes being updated in October 2019 and July 2020, respectively.
“We’re constantly evaluating the threat landscape to evolve our programs and listening to feedback from researchers to help make it easier to share their research,” said Microsoft’s senior program manager leading its Bug Bounty Program, Jarek Stanley.
RELATED RESOURCE
Introducing VMDR: Vulnerability Management, Detection and Response
The all-in-one vulnerability management service
“This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across 6 continents. In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic.”
The final payout is more than double the $6.5 million Google paid through its bug bounty programme during the 2019 fiscal year, which was distributed among 461 researchers, with the biggest single reward standing at $201,000.
Microsoft didn’t disclose the number of vulnerabilities reported across the previous 12-month period, although the 1,226 flaws reported in the last year may well represent a major increase. This is not only due to the number of new and expanded programmes the company has introduced, but the frequency of flaws identified.
The Windows 10 operating system, for example, has been the source of many complaints over the previous 12 months, particularly with regards to major feature updates such as the recent May 2020 upgrade.
Microsoft warned users against installing the Windows 10 update after its initial two-week delay due to a number of serious issues it had identified, ranging from faulty Bluetooth connectivity to broken mouse input.
-
HP EliteBook X Flip G1i reviewReviews Looking past the lack of a multi-core roar in its Lunar Lake chip, there's very little to complain about in this mobile and security-centric hybrid machine
-
Why reselling AI isn’t where MSP margins are madeThe AI boom is driving record IT spending, but much of the licence revenue is flowing to hyperscalers. For channel partners, the real value lies in using AI internally to automate service desks, NOCs, and managed service delivery
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
