Microsoft Bounty Bug Program

Some software companies invite security researchers to look for weaknesses in their software and then pay they for finding those. That is called a Bounty Bug program. Microsoft is one company that does that. Google has a bounty program for Android. Apple is late to the game, only launching its program this year. But they pay the highest bounty, up to $200,000 for zero day vulnerabilities. Many smaller companies offer bounty bug programs too.

Not only does Microsoft pay a reward for finding bugs in Windows—some of them are sizeable—they feature the researcher’s name in their bulletins and invite some of them to come to the Researcher Appreciation Party in Las Vegas.

Researchers have to be at least 14 years old and cannot come from countries against which the USA has sanctions. And they agree not to publish their exploit code.   

Microsoft discusses weaknesses and their fixes in their Microsoft Security Bulletins.

But Microsoft says researchers can write about the bug as well as show the exploit code, but only once the vulnerability is fixed. They say, “Please do not discuss the vulnerability in any form prior to Microsoft notifying you that it is fixed. And they say “This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.”

If you look at the Bounty Honor Roll page, you can see that Microsoft has paid $100,000 and $75,000 to a handful of people. They pay different rates for different parts of Windows. Like $15,000 for .NET.

Most of the winners seem to be security researchers at IT firms like Google or security firms like NSFOCU. Several people have been paid more than once.

These bugs are not all Microsoft bugs. As is usually the case, the Security Bulletin lists security issues with Adobe Flash frequently.  (There have been several efforts to kill off Adobe Flash over the years for security reasons. None so far have been successful.)

Microsoft has expanded the program too beyond Windows to include its Azure cloud and Office 365. And Bounty Programs are broken down into .NET, Windows Insider, Online Services, and Windows itself.

microsoft bounty bug program

As for mitigation tactics, Microsoft awards those too with its BlueHat Prize and Blue Hat Conference. Those prizes also reward discovering vulnerabilities.

Some of the vulnerability bounties are targeted toward what it called Mitigation ByPass. Obviously that means going around items that have been specifically hardened. Microsoft gives examples of that including the Hyper-V hypervisor is not supposed to allow access to the host computer. Another is the Remote Code Execution, which is the holy grail of what hackers hope to achieve, as that is how one takes over a machine.

One area that Microsoft looks for help is its Preview editions of Windows. For example, Windows 2016 Server is in Preview status. Users can download that and install it for free. But the license runs out in 180 days.