Microsoft now pays security researchers for finding critical vulnerabilities in any of its online services, regardless of whether the code was written by Microsoft or a third party.
This policy shift was announced at Black Hat Europe on Wednesday by Tom Gallagher, vice president of engineering at Microsoft Security Response Center.
As Gallagher explained, attackers don’t distinguish between Microsoft code and third-party components when exploiting vulnerabilities, prompting the company to expand its bug bounty program to cover all Microsoft online services by default, with all new services in scope as soon as they are released.
The program now also includes security flaws in third-party dependencies, including commercial or open-source components, if they impact Microsoft online services.
“Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue,” Gallagher said.
“Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit. Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them.”
Microsoft has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year.
Today’s announcement is part of Microsoft’s broader Secure Future Initiative, designed to prioritize security across all of the company’s operations.
As part of the same initiative, Microsoft also disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps, and has updated Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols.
More recently, it began rolling out a new Teams feature to block screen capture attempts during meetings and announced plans to secure Entra ID sign-ins from script injection attacks.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.