Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards

Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce. The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude.

The security landscape is constantly changing with emerging technology and new threats. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have continued to help us secure millions of customers. Microsoft is committed to continuing to enhance our Bug Bounty Programs and strengthening our partnership with the security research community. Over the past 12 months Microsoft awarded $13.7M in bounties, more than three times the $4.4M we awarded over the same period last year.

What has changed in the past year?

We’re constantly evaluating the threat landscape to evolve our programs and listening to feedback from researchers to help make it easier to share their research. This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across 6 continents. In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic.

New and Updated Bounty Programs

New Research Programs:

Thank you to everyone who shared their research with Microsoft this year, and for their participation in Microsoft’s Bounty Programs. Millions of customers, and the broader ecosystem, are more secure thanks to their efforts.

Jarek Stanley, Lynn Miyashita, Sylvie Liu, and Chloé Brown
Microsoft Security Response Center

Share