Now that you know that Apple has an open bug bounty program, you might also be interested to know Microsoft also has a bug bounty program where you can get paid up to $250,000 reporting bugs to the company.
If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device, this is for you.
Microsoft says If you identify a vulnerability that affects a product or service that is within the scope of one of their bounty programs, you may receive a bounty award according to the program descriptions.
“Security is always changing, and we prioritise different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”
Just yesterday Aditi Singh, a 20-year-old ethical hacker from Delhi, won a bounty of $30,000 for spotting a bug in Microsoft’s Azure cloud system. Aditi had yet again found a similar bug on Facebook just two months back and won a bounty of $7500. She had identified that both companies had a remote code execution (RCE) bug,
Cloud Programs
|
Program Name
|
Start date
|
Last Updated |
End date
|
Eligible entries
|
Bounty Range
|
|---|---|---|---|---|---|
| Microsoft Azure | 2014-09-23 | 2020-08-24 | Ongoing | Vulnerability reports on Microsoft Azure cloud services | Up to $40,000 USD |
|
2018-07-17
|
2019-10-23 |
Ongoing
|
Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.
|
Up to $100,000 USD
|
|
| Xbox |
2020-01-30
|
2020-01-30 |
Ongoing
|
Vulnerability reports on the Xbox Live network and services
|
Up to $20,000 USD
|
| Microsoft Online Services | 2014-09-23 | 2019-08-05 | Ongoing | Vulnerability reports on applicable Microsoft cloud services, including Office 365 | Up to $20,000 USD |
| Microsoft Azure DevOps Services |
2019-01-17
|
2019-01-17 | Ongoing |
Vulnerability reports on applicable Microsoft Azure DevOps Services
|
Up to $20,000 USD
|
| Microsoft Dynamics 365 | 2019-07-17 | 2019-07-29 | Ongoing | Vulnerablility reports on applicable Microsoft Dynamics 365 applications | Up to $20,000 USD |
|
2016-09-01
|
2020-11-20 |
Ongoing
|
Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)
|
Up to $15,000 USD
|
Platform Programs
| Program Name | Start Date | Last Updated | End Date | Eligible Entries | Bounty Range |
|---|---|---|---|---|---|
| Microsoft Hyper-V | 2017-05 -31 | 2020-04-13 | Ongoing | Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V | Up to $250,000 USD |
| Microsoft Windows Insider Preview | 2017-07-26 | 2020-08-27 | Ongoing | Critical and important vulnerabilities in Windows Insider Preview | Up to $100,000 USD |
| Microsoft Applications | 2021-03-24 | 2021-03-24 | Ongoing | Critical and important vulnerabilities in Microsoft Applications | Up to $30,000 USD |
| Windows Defender Application Guard | 2017-07-26 | 2017-07-26 | Ongoing | Critical vulnerabilities in Windows Defender Application Guard | Up to $30,000 USD |
| Microsoft Edge (Chromium-based) | 2019-08-20 | 2020-01-15 | Ongoing | Critical and important vulnerabilities in Microsoft Edge (Chromium-based) Dev, Beta, and Stable channels | Up to $30,000 |
| Office Insider | 2017-03-15 | 2018-12-07 | Ongoing | Vulnerabilities on Office Insider | Up to $15,000 USD |
| ElectionGuard | 2019-10-18 | 2021-03-31 | Ongoing | Vulnerabilities in ElectionGuard | Up to $15,000 USD |
Defense & Grant Programs
| Program Name | Start Date | Last Updated | End Date | Eligible Entries | Bounty Range |
|---|---|---|---|---|---|
| Mitigation Bypass and Bounty for Defense | 2013-06-26 | 2018-10-02 | Ongoing | Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission. | Up to $100,000 USD (plus up to an additional $100,000) |
| Grant: Microsoft Identity | 2020-01-09 | 2020-04-09 | Ongoing | This project grant awards up to $75,000 USD for approved research proposals that improve the security of the Microsoft Identity solutions in new ways for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory). | Up to $75,000 USD |
| SIKE Cryptographic Challenge | 2021-06-09 | 2021-06-09 | Ongoing | This challenge awards up to $50,000 USD for solutions that break the SIKE algorithm for two sets of toy parameters. | Up to $50,000 USD |
The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here, and their bounty Safe Harbor policy.
