Most notably Microsoft has doubled the maximum fees for the Bounty for Defense from $50,000 to $100,000. It has also extended its Online Services Bug Bounty to include authentication vulnerabilities, where discoveries are now eligible for a double payment.
Microsoft said the changes came in response to feedback from the security research community. The company made the announcement at last week’s Black Hat cybersecurity conference in Las Vegas, which it called “part of the rigorous security programs at Microsoft.”
Many tech and software companies run bug bounty programs to entice ethical hackers to disclose any bugs or vulnerabilities in their software to the company in exchange for a cash reward, rather than go public with the information.
Oftentimes hackers have to meet strict criteria in order to claim their prize, like agreeing to not disclose any information about the bug before telling the company or rigorously proving the dangers of their findings if they want to get paid.
Microsoft has been steadily expanding its bug bounties over the years. In April of this year, it introduced programs covering Microsoft Azure and a bounty for the preview of Microsoft Edge ahead of its release.
Bug bounty rewards can vary wildly from company to company. Yahoo for example has smaller rewards going for around $100, while their maximum rewards can hit $20,000. United Airlines offers flight miles to researchers. Mozilla meanwhile pays up to $10,000 for “novel” vulnerabilities and exploits depending on how rare or dangerous the bug is.
