Microsoft has unveiled a new bug bounty program aimed at the Microsoft Defender security platform, with rewards between $500 and $20,000.
While higher awards are possible, Microsoft retains sole discretion to determine the final reward amount based on vulnerability severity, impact, and submission quality.
The highest reward is available for high-quality reports of critical severity remote code execution vulnerabilities.
Currently, the Microsoft Defender Bounty Program is limited in scope and will focus solely on Microsoft Defender for Endpoint APIs (Application Programming Interfaces). However, it is expected to expand to include other Defender products in the future.
“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team,” said MSRC Senior Program Manager Madeline Eckert.
“Microsoft’s Bug Bounty programs represent one of the many ways we invest in partnerships with the global security research community to help secure Microsoft customers.”
Vulnerability Type | Report Quality | Severity | |||
Critical | Important | Moderate | Low | ||
Remote Code Execution | High Medium Low |
$20,000 $15,000 $10,000 |
$15,000 $10,000 $5,000 |
$0 | $0 |
Elevation of Privilege | High Medium Low |
$8,000 $4,000 $3,000 |
$5,000 $2,000 $1,000 |
$0 | $0 |
Information Disclosure | High Medium Low |
$8,000 $4,000 $3,000 |
$5,000 $2,000 $1,000 |
$0 | $0 |
Spoofing | High Medium Low |
N/A | $3,000 $1,200 $500 |
$0 | $0 |
Tampering | High Medium Low |
N/A | $3,000 $1,200 $500 |
$0 | $0 |
Denial of Service | High/Low | Out of Scope |
The complete list of in-scope security vulnerabilities includes:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Cross-tenant data tampering or access
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by the user)
- Using components with known vulnerabilities (Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award).
Per Microsoft’s guidelines, the bounty will be awarded to the initial submission if multiple security researchers file multiple bug reports regarding the same issue.
Moreover, if a submission qualifies for multiple bounty programs, the researchers will receive the highest single payout reward from a single bounty program. Further details regarding the Microsoft Bounty Program are available on this FAQ page.
Today, Microsoft also revealed that it paid $58.9 million in rewards to 1,147 security researchers worldwide who reported 446 eligible vulnerabilities across 22 bug bounty programs.
One month earlier, the company announced a new AI bounty program focused on the AI-driven Bing experience, with rewards of up to $15,000.
Last year, Redmond added on-premises Exchange, SharePoint, and Skype for Business to its bug bounty program and increased the maximum awards for high-impact security flaws reported through its Microsoft 365 program.