Microsoft reported on its 15 bug bounty programs last year. It turned out that in 2019 company paid the researchers a total of $13,700,000 for the discovered vulnerabilities, that is, three times more than a year earlier ($4,400,000).
In total, in the period from July 1, 2019 to June 30, 2020, 327 information security researchers discovered 1226 vulnerabilities in Microsoft products. The largest award was $200,000 and was related to a vulnerability in Hyper-V.The researchers who devote their time to discovering and uncovering security issues before attackers can exploit them deserve our collective respect and thanks”, — says the Microsoft Security Response Center blog.
Thus, last year’s bug bounty payments to Microsoft programs far surpassed similar awards from Google, which totaled only $6,500,000 last year, and Google called the it a record year.
Microsoft says that large payments explained with the launch of six new incentive programs and two new research grants.
New Research Programs:
- Most Valuable Researcher Recognition Program, updated July 2019
- Security Researcher Quarterly Leaderboard, beginning August 2019
- Identity Research Grant, launched January 2020
- Microsoft Security AI RFP, launched in partnership with Microsoft Research March 2020
- Machine Learning Security Evasion Competition, launched in partnership with CUJO AI, VMRay, and MRG Effitas June 2020
As a result, the company has attracted over 1000 pertinent bug reports from over 300 researchers.
The company also notes that the researchers were clearly affected by the coronavirus pandemic and quarantines in many countries around the world.
In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher number of reports during the first several months of the pandemic”, — said in Microsoft.
Let me remind you that bug bounty programs are available from many large IT companies. For example, we said that Facebook expanded bug bounty program for third-party services. However, Zerodium will not buy exploits for iOS, as there is too many of them.
