|Microsoft Partners With HackerOne On Bug Bounty|
|Written by Kay Ewbank|
|Friday, 12 April 2019|
Microsoft's Bug Bounty program has been updated to pay out faster for valid vulnerabilities. The HackerOne hacker community has joined as a partner to speed up checks and handle payouts.
The Microsoft Bounty Program paid out over $2,000,000 last year to people who identified security threats, but the new move will make decisions on payouts faster in the future.
The faster review is already underway for the Cloud, Windows and Azure Devops programs, where the bounties are now awarded on completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined.
The latest move, whereby HackerOne, which hosts both GitHub's and Intel's bug bounty programs together with hundreds of others, has been added as a partner, means that HackerOne will deal with bounty payment processing. There will also be more options for payments including PayPal, crypto-currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations.
HackerOne members will also find that Microsoft bounty awards processed through the HackerOne platform will contribute to their overall HackerOne reputation score.
Microsoft is keen to stress that vulnerability reports should still be sent to the Microsoft Security Response Center directly rather than to HackerOne.
Alongside the news of the partnership Microsoft reiterated that it is increasing the awards and scope of the program. The amounts were actually raised in January from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services. These awards are still lower than the highest payment Microsoft makes. The Microsoft Mitigation Bypass Bounty and Bounty for Defense Program offers payouts of up to $100,000 for mitigation bypass.
There's also a new policy for duplicates. Until now, external reports of a vulnerability Microsoft already knew about internally only got 10% of the eligible bounty award as the report didn't help Microsoft identify anything new. However, on the basis that:
"understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can"
Microsoft has changed its policy on these so-called duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known.
or email your comment to: firstname.lastname@example.org