Microsoft Partners With HackerOne On Bug Bounty
Written by Kay Ewbank   
Friday, 12 April 2019

Microsoft's Bug Bounty program has been updated to pay out faster for valid vulnerabilities. The HackerOne hacker community has joined as a partner to speed up checks and handle payouts.

The Microsoft Bounty Program paid out over $2,000,000 last year to people who identified security threats, but the new move will make decisions on payouts faster in the future.

msbugbountyshield

 

The faster review is already underway for the Cloud, Windows and Azure Devops programs, where the bounties are now awarded on completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined.

The latest move, whereby HackerOne, which hosts both GitHub's and Intel's bug bounty programs together with hundreds of others, has been added as a partner, means that HackerOne will deal with bounty payment processing. There will also be more options for payments including PayPal, crypto-currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations.

HackerOne members will also find that Microsoft bounty awards processed through the HackerOne platform will contribute to their overall HackerOne reputation score.  

Microsoft is keen to stress that vulnerability reports should still be sent to the Microsoft Security Response Center directly rather than to HackerOne.

Alongside the news of the partnership Microsoft reiterated that it is increasing the awards and scope of the program. The amounts were actually raised in January from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services.  These awards are still lower than the highest payment Microsoft makes. The Microsoft Mitigation Bypass Bounty and Bounty for Defense Program offers payouts of up to $100,000 for mitigation bypass.

There's also a new policy for duplicates. Until now, external reports of a vulnerability Microsoft already knew about internally only got 10% of the eligible bounty award as the report didn't help Microsoft identify anything new. However, on the basis that:

"understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can"

Microsoft has changed its policy on these so-called duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known.

 msbugbountyshield

 

More Information

Cloud Bounty Program

Windows Bounty Program

Azure DevOps Bounty Program

Related Articles

GitHub Bounty Program Increases Rewards

Intel Extends Bug Bounty Program 

Memory Safety Bugs Form 70 Percent Of Vulnerabilities

Microsoft Bug Bounty Extends Scope

Microsoft Extends Bounty

 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


The State of Computer Science Education 2020
18/11/2020

The majority of US schools still do not teach Computer Science, despite the concerted efforts of Code.org Advocacy Coalition. On the other hand, a lot of progress has been made and the number of  [ ... ]



Python Overtakes Java In TIOBE Index
06/11/2020

This month's TIOBE brings dramatic news. Python has replaced Java as the second most popular language. Although this was bound to happen sometime, we had not imagined it would be this soon.


More News

square

 



 

Comments




or email your comment to: comments@i-programmer.info