The Microsoft Bug Bounty Programs and partnerships with the global security research community are important parts of Microsoft’s holistic approach to defending customers against security threats. Our bounty programs incentivize security research in high-impact areas to stay ahead of the ever-changing security landscapes, emerging technology, and new threats. Security Researchers help us secure millions of customers by discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure.
Over the past 12 months, Microsoft awarded $13.7M in bug bounties to more than 330 security researchers across 46 countries. In the last year, the largest award was $200,000 under the Hyper-V Bounty Program, and the average award was more than $12,000 across all our programs, demonstrating the high impact research from one of the largest and most diverse global security research communities.
What has changed in the past year?
We are constantly evolving our programs and partnerships to meet the changing threat landscape. A key element of this maturing process is listening to feedback from researchers to remove barriers to entry and better facilitate research efforts. This year, we introduced a new research challenge and new high-impact attack scenarios across many of our programs to award research focused on the most critical areas to customer security. The addition of these attack scenarios to our Azure, Dynamics 365 and Power Platform, and M365 bounty programs helps to focus research on the highest impact cloud vulnerabilities including areas like Azure Synapse Analytics, Key Vault, and Azure Kubernetes Services.
New and Updated Bug Bounty and Research Programs
- Azure SSRF Research Challenge, launched August 2021
- Azure Bounty Program, added high-impact research scenarios August 2021
- Edge Bounty Program, added Android/iOS to scope October 2021
- Microsoft Researcher Recognition Program, expanded recognition categories and swag February 2022
- Applications and On-Premises Servers Bounty Program, added Exchange, Skype, and SharePoint on-premises April 2022
- M365 Bounty Program, added high-impact research scenarios April 2022
- Dynamics 365 and Power Platform Bounty Program, added high-impact research scenario & Power Platform to scope April 2022
We believe partnerships with the global security research community are an essential part of protecting customers, and we will continue to invest in and evolve our bounty programs as a part of strengthening these partnerships. Thank you to all the researchers who shared their research with Microsoft this year to help secure millions of Microsoft customers.
Lynn Miyashita and Madeline Eckert