Microsoft Bounty Program offers larger rewards for bug hunters
Bug bounty programs are a popular way for tech companies to track down problems with their products without having to spend large sums of money on dedicated research teams. Microsoft is one of the big names with such a program, and it has just announced that it is increasing the payouts it makes.
As well as offering people more money for finding issues with its products, Microsoft also says that it will pay people faster.
- Microsoft stops selling ebooks, offers refunds to customers
- Microsoft launches new 13.5-inch Surface Book 2 with 8th Gen Intel quad-core i5 processor
- Microsoft giving away two very ugly 'Shazam!' Xbox One X game consoles
A key change in policy is that Microsoft will no longer wait until a fix has been produced for a bug until making a payout -- now the only requirement is that a bug can be reproduced. This is thanks in part to a partnership with HackerOne.
Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen quickly. Microsoft is partnering with HackerOne for bounty payment processing and support to deliver bounty awards efficiently and with more options like PayPal, crypto currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations. Additionally, Microsoft bounty awards processed through HackerOne will contribute to your overall reputation score on the HackerOne platform.
The maximum bounty has increased from $15,000 to $50,000 for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty. Microsoft is also making changes to the way it deals with duplicate bug reports:
Historically, external reports of internally known vulnerabilities were rewarded 10 percent of the eligible bounty award as the report did not inform us of a new and previously unknown issue. But understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can. Therefore, we have updated our policy on duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known. There is no change to our policy regarding duplicate external reports of the same vulnerability.
Full details are available on TechNet.