Microsoft Bounty Bug Program

Some software companies invite security researchers to look for weaknesses in their software and then pay they for finding those. That is called a Bounty Bug program. Microsoft is one company that does that. Google has a bounty program for Android. Apple is late to the game, only launching its program this year. But they pay the highest bounty, up to $200,000 for zero day vulnerabilities. Many smaller companies offer bounty bug programs too.

Not only does Microsoft pay a reward for finding bugs in Windows—some of them are sizeable—they feature the researcher’s name in their bulletins and invite some of them to come to the Researcher Appreciation Party in Las Vegas.

Researchers have to be at least 14 years old and cannot come from countries against which the USA has sanctions. And they agree not to publish their exploit code.   

Microsoft discusses weaknesses and their fixes in their Microsoft Security Bulletins.

But Microsoft says researchers can write about the bug as well as show the exploit code, but only once the vulnerability is fixed. They say, “Please do not discuss the vulnerability in any form prior to Microsoft notifying you that it is fixed. And they say “This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.”

If you look at the Bounty Honor Roll page, you can see that Microsoft has paid $100,000 and $75,000 to a handful of people. They pay different rates for different parts of Windows. Like $15,000 for .NET.

Most of the winners seem to be security researchers at IT firms like Google or security firms like NSFOCU. Several people have been paid more than once.

These bugs are not all Microsoft bugs. As is usually the case, the Security Bulletin lists security issues with Adobe Flash frequently.  (There have been several efforts to kill off Adobe Flash over the years for security reasons. None so far have been successful.)

Microsoft has expanded the program too beyond Windows to include its Azure cloud and Office 365. And Bounty Programs are broken down into .NET, Windows Insider, Online Services, and Windows itself.

microsoft bounty bug program

As for mitigation tactics, Microsoft awards those too with its BlueHat Prize and Blue Hat Conference. Those prizes also reward discovering vulnerabilities.

Some of the vulnerability bounties are targeted toward what it called Mitigation ByPass. Obviously that means going around items that have been specifically hardened. Microsoft gives examples of that including the Hyper-V hypervisor is not supposed to allow access to the host computer. Another is the Remote Code Execution, which is the holy grail of what hackers hope to achieve, as that is how one takes over a machine.

One area that Microsoft looks for help is its Preview editions of Windows. For example, Windows 2016 Server is in Preview status. Users can download that and install it for free. But the license runs out in 180 days.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal