Microsoft pays out 16.6 million US dollars in bug bounty money
Microsoft takes stock of last year's bug bounty programs. The company paid out 16.6 million US dollars.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Microsoft has taken stock of the company's bug bounty programs over the past twelve months. According to the report, the manufacturer has paid out 16.6 million US dollars to those who reported security vulnerabilities.
A total of 343 IT security researchers from 55 countries have received a reward for working with Microsoft's Security Response Center (MSRC) to improve customer security, Microsoft is pleased to announce in a blog post. The bug bounty programs cover a wide range of products, from Azure, Edge, M365, Dynamics 365, Power Platform and Windows to Xbox and more, the authors explain.
Microsoft: Bug bounty program continues to evolve
"The Microsoft Bounty Program is an important part of our proactive strategy to incentivize research programs to partner with the external research community and protect our customers from security threats," Microsoft writes. As the IT security landscape and Microsoft's attack surface are changing, so are the bug bounty programs. In the past year, the company has therefore introduced further such programs: for Microsoft AI, Identity, Microsoft 365 Insider, Defender or, for a limited time, Secure Boot under Windows.
Microsoft is expanding the coverage of existing programs to include new products and services, or realigning the targets to protect against malicious actors and new attack vectors. The rewards for reported vulnerabilities are based on severity and impact on security, and also consider the completeness and accuracy of the reports. They are also based on the areas that are most important to customers. This is intended to focus research on the areas with the greatest threats. For the coming year, Microsoft also wants to listen to feedback from IT researchers to improve the bug bounty programs.
Not only Microsoft, but also numerous other large companies, rely on bug bounty programs to attract external, freelance IT security researchers for quality assurance. Google, for example, also uses bug bounties known as the Vulnerability Reqard Program (VRP) to improve the security of its products and services. In 2023, the company paid out 10 million US dollars to 632 people from 68 countries for security reports in this context.
(dmk)