Microsoft awarded $13.6 million to security researchers via bug bounty programs over the...

[Shawn Knight]

In brief: Microsoft over the past 12 months has paid out $13.6 million in bug bounty awards to 341 security researchers in nearly 60 countries around the world. That's down ever so slightly from last year's numbers, despite Microsoft adding two new programs to the mix.

In its year in review, Microsoft said the average amount per award across all programs was more than $10,000. The largest single award was $200,000, under the Hyper-V Bounty Program, which spans three types of vulnerabilities: remote code execution, information disclosure and denial of service. That program’s description notes that the highest possible award is $250,000, so it seems nobody hit the jackpot over the past year.

In total, Microsoft received 1,261 eligible vulnerability reports during the 12-month period across its 17 different bounty programs.

Interestingly enough, this year’s stats are very similar to last year’s. In the previous year-long period, Microsoft awarded a total of $13.7 million to 327 researchers spanning 1,226 eligible reports. Just like this past year, the biggest single award was $200,000.

Since last year’s report, Microsoft has added two new bug bounty and research programs. The Microsoft Applications Bounty Program (Teams Desktop) launched in March 2021 followed by the SIKE Cryptographic Challenge which arrived just last month. The Windows Insider Preview Bounty Program, meanwhile, was updated in July 2020 and the Research Recognition Program was updated this past February.

Permalink to story.

https://www.techspot.com/news/90370-microsoft-awarded-136-million-security-researchers-bug-bounty.html

 

[EmJayCeeDee]

Lmfao -- their MAX contractual payout is $1500AUD per incident. Thus, that is what a potential 0 day is worth.

And, to add to that -- you have to give them 100% of what you know, with no guarantee, under an NDA. I've anonymously gotten $45-120AUD for things that I COULD exploit on hundreds of thousands of users.

It's a joke. So is google's. Idk about Apple's.

 

[Austinturner]

Lmfao -- their MAX contractual payout is $1500AUD per incident. Thus, that is what a potential 0 day is worth.

And, to add to that -- you have to give them 100% of what you know, with no guarantee, under an NDA. I've anonymously gotten $45-120AUD for things that I COULD exploit on hundreds of thousands of users.

It's a joke. So is google's. Idk about Apple's.

How does $1.5k align with the average award of $10k and largest single award of $200k average quoted? I’m missing something.

 

[EmJayCeeDee]

I have no idea- However a) it was late and I was thinking of google (though they're all pretty similar) and b) it appears even google have raised theirs to a max of $31,000 and a minimum of $100.

So that's SOME progress atleast I guess... I just didn't bother and locked them away in the 0day cabinet incase I ever needed to get into any Hackers 2 style shenanigans.

 

[Uncle Al]

Now, if they really want to do some good, let's see them raise a bounty for each and every successful hack the user community can develop towards the FSU and other Russian assets ..... I'm thinking they would have no problem getting a little quiet Government support for that one!

Start with sabotage of their pipe lines ..... oil is their only serious product sold to outsiders and with so many European countries headed towards alternative sources of energy it could put a strangle hold on Russia ......

 

[Gollum22]

I have no idea- However a) it was late and I was thinking of google (though they're all pretty similar) and b) it appears even google have raised theirs to a max of $31,000 and a minimum of $100.

So that's SOME progress atleast I guess... I just didn't bother and locked them away in the 0day cabinet incase I ever needed to get into any Hackers 2 style shenanigans.

Google paid some kid $150k for getting access to internals in Google Cloud