Microsoft's Bug Bounty program has been updated to pay out faster for valid vulnerabilities. The HackerOne hacker community has joined as a partner to speed up checks and handle payouts.

The Microsoft Bounty Program paid out over $2,000,000 last year to people who identified security threats, but the new move will make decisions on payouts faster in the future.

The faster review is already underway for the Cloud, Windows and Azure Devops programs, where the bounties are now awarded on completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined.

The latest move, whereby HackerOne, which hosts both GitHub's and Intel's bug bounty programs together with hundreds of others, has been added as a partner, means that HackerOne will deal with bounty payment processing. There will also be more options for payments including PayPal, crypto-currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations.

HackerOne members will also find that Microsoft bounty awards processed through the HackerOne platform will contribute to their overall HackerOne reputation score.  

Microsoft is keen to stress that vulnerability reports should still be sent to the Microsoft Security Response Center directly rather than to HackerOne.

Alongside the news of the partnership Microsoft reiterated that it is increasing the awards and scope of the program. The amounts were actually raised in January from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services.  These awards are still lower than the highest payment Microsoft makes. The Microsoft Mitigation Bypass Bounty and Bounty for Defense Program offers payouts of up to $100,000 for mitigation bypass.

There's also a new policy for duplicates. Until now, external reports of a vulnerability Microsoft already knew about internally only got 10% of the eligible bounty award as the report didn't help Microsoft identify anything new. However, on the basis that:

"understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can"

Microsoft has changed its policy on these so-called duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known.

More Information

Cloud Bounty Program

Windows Bounty Program

Azure DevOps Bounty Program

Related Articles

GitHub Bounty Program Increases Rewards

Intel Extends Bug Bounty Program 

Memory Safety Bugs Form 70 Percent Of Vulnerabilities

Microsoft Bug Bounty Extends Scope

Microsoft Extends Bounty

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info