The Information Highway

The Information Highway

Font size: +
2 minutes reading time (374 words)

Microsoft launches Defender Bounty Program with $20,000 rewards

Microsoft has unveiled a new bug bounty program aimed at the Microsoft Defender security platform, with rewards between $500 and $20,000. 

While higher awards are possible, Microsoft retains sole discretion to determine the final reward amount based on vulnerability severity, impact, and submission quality.

The highest reward is available for high-quality reports of critical severity remote code execution vulnerabilities.

Currently, the Microsoft Defender Bounty Program is limited in scope and will focus solely on Microsoft Defender for Endpoint APIs (Application Programming Interfaces). However, it is expected to expand to include other Defender products in the future.

"The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team," said MSRC Senior Program Manager Madeline Eckert.

"Microsoft's Bug Bounty programs represent one of the many ways we invest in partnerships with the global security research community to help secure Microsoft customers." 

The complete list of in-scope security vulnerabilities includes:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Cross-tenant data tampering or access
  • Insecure direct object references
  • Insecure deserialization
  • Injection vulnerabilities
  • Server-side code execution
  • Significant security misconfiguration (when not caused by the user)
  • Using components with known vulnerabilities (Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award).

Per Microsoft's guidelines, the bounty will be awarded to the initial submission if multiple security researchers file multiple bug reports regarding the same issue.

Moreover, if a submission qualifies for multiple bounty programs, the researchers will receive the highest single payout reward from a single bounty program. Further details regarding the Microsoft Bounty Program are available on this FAQ page.

Today, Microsoft also revealed that it paid $58.9 million in rewards to 1,147 security researchers worldwide who reported 446 eligible vulnerabilities across 22 bug bounty programs.

One month earlier, the company announced a new AI bounty program focused on the AI-driven Bing experience, with rewards of up to $15,000.

Last year, Redmond added on-premises Exchange, SharePoint, and Skype for Business to its bug bounty program and increased the maximum awards for high-impact security flaws reported through its Microsoft 365 program. 

Hacktivists breach U.S. nuclear research lab, stea...
Auto parts giant AutoZone warns of MOVEit data bre...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023