Microsoft pays record $17 million in bounties over the last 12 months

Microsoft pays record $17 million in bounties over the last 12 months

​Microsoft paid a record $17 million this year to 344 security researchers across 59 countries through its bug bounty program.

Between July 2024 and June 2025, the researchers submitted a total of 1,469 eligible vulnerability reports, with the highest individual bounty reaching $200,000.

These reports helped resolve more than 1,000 potential security vulnerabilities across various Microsoft products and platforms, including Azure, Microsoft 365, Dynamics 365, Power Platform, Windows, Edge, and Xbox.

“By incentivizing independent researchers to identify vulnerabilities in high-impact areas, including the rapidly evolving field of AI, we’re able to stay ahead of emerging threats,” Microsoft stated in its annual bounty program review.

“Through Coordinated Vulnerability Disclosure, these researchers play a critical role in reinforcing the trust that millions of users place in Microsoft technologies every day.”

During the previous year, Microsoft paid another $16.6 million in bounty awards to 343 security researchers from 55 countries.

Bug bounty program updates

The company has also expanded several bounty programs this year, such as Copilot AI, Defender products, and various identity management systems.

For instance, the Copilot bounty program now includes traditional online service vulnerabilities, the Dynamics 365 and Power Platform programs introduced a new AI category, and the Windows program has added awards for remote denial-of-service attacks and local sandbox escape scenarios.

Additionally, the Identity bounty program now covers more APIs and domains, and the Defender program has added Microsoft Defender for Identity (MDI), Microsoft Defender for Office (MDO), and Microsoft Defender for Cloud Applications (MDA).

More recently, Microsoft announced higher payouts for moderate-severity Microsoft Copilot (AI) security flaws, increased rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities, and raised bounty awards for Power Platform and Dynamics 365 AI flaws.

On Monday, the company revealed that it will offer up to $5 million in bounty awards at this year’s Zero Day Quest hacking contest, described as the “largest hacking event in history.”

Picus Red Report 2025

Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.

Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.