Microsoft Partners With HackerOne On Bug Bounty
Written by Kay Ewbank   
Friday, 12 April 2019

Microsoft's Bug Bounty program has been updated to pay out faster for valid vulnerabilities. The HackerOne hacker community has joined as a partner to speed up checks and handle payouts.

The Microsoft Bounty Program paid out over $2,000,000 last year to people who identified security threats, but the new move will make decisions on payouts faster in the future.

msbugbountyshield

 

The faster review is already underway for the Cloud, Windows and Azure Devops programs, where the bounties are now awarded on completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined.

The latest move, whereby HackerOne, which hosts both GitHub's and Intel's bug bounty programs together with hundreds of others, has been added as a partner, means that HackerOne will deal with bounty payment processing. There will also be more options for payments including PayPal, crypto-currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations.

HackerOne members will also find that Microsoft bounty awards processed through the HackerOne platform will contribute to their overall HackerOne reputation score.  

Microsoft is keen to stress that vulnerability reports should still be sent to the Microsoft Security Response Center directly rather than to HackerOne.

Alongside the news of the partnership Microsoft reiterated that it is increasing the awards and scope of the program. The amounts were actually raised in January from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services.  These awards are still lower than the highest payment Microsoft makes. The Microsoft Mitigation Bypass Bounty and Bounty for Defense Program offers payouts of up to $100,000 for mitigation bypass.

There's also a new policy for duplicates. Until now, external reports of a vulnerability Microsoft already knew about internally only got 10% of the eligible bounty award as the report didn't help Microsoft identify anything new. However, on the basis that:

"understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can"

Microsoft has changed its policy on these so-called duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known.

 msbugbountyshield

 

More Information

Cloud Bounty Program

Windows Bounty Program

Azure DevOps Bounty Program

Related Articles

GitHub Bounty Program Increases Rewards

Intel Extends Bug Bounty Program 

Memory Safety Bugs Form 70 Percent Of Vulnerabilities

Microsoft Bug Bounty Extends Scope

Microsoft Extends Bounty

 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


Google Attempts To Fix AMP - Makes It Worse
17/04/2019

AMP is Google's attempt to speed up the web or to dominate it even more than it does at the moment - take your pick of these alternatives. In an attempt to address one of the biggest criticisms of AMP [ ... ]



Kotlin Enters RedMonk's Top 20
28/03/2019

RedMonk has published the latest of its twice-yearly language rankings. For the January 2019, or Q1 2019, the Top 10 remains virtually unchanged from Q3 2017 and shows only minor variation from Q3 201 [ ... ]


More News

Python

 



 

Comments




or email your comment to: comments@i-programmer.info