Microsoft increases bug bounty awards for high-impact Microsoft 365 flaws
More money is needed to fund security researchBy Adrian Potoroaca
Bottom line: Microsoft's latest Patch Tuesday contains fixes for more than 100 vulnerabilities, ten of which are critical remote code execution flaws. The company wants to get ahead of cybercriminals by encouraging security researchers with bigger rewards for every high-impact flaw they can find in its Microsoft 365 products.
If there's one thing the security community has been complaining about for years, it's that most companies pay very little for vulnerability discoveries and even go as far as silently patching their software without giving credit to the people that reported the issues. The problem is severe enough that some security researchers have been exploring the idea of selling their work to zero-day brokers and other third parties to make ends meet.
On the upside, companies have been gradually increasing bug bounty payments as of late, presumably motivated by a surge in cyberattacks and malware campaigns.
Microsoft recently announced that it would add scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program.
The Redmond giant hopes to encourage security experts to focus their work on vulnerabilities that could have the highest potential impact on users' privacy. To that end, it will also increase the maximum payouts by up to 30 percent or $26,000, depending on the scenario and the severity of the bug.
For instance, finding a vulnerability that allows remote code execution through untrusted input qualifies for a 30 percent bonus on top of the standard M365 bounty award.
The company says higher awards are also possible "at Microsoft's sole discretion, based on the severity and impact of the vulnerability and the quality of the submission."
This move follows a similar one from last year that saw the Azure Bounty Program increase the maximum payout to $60,000 for high severity cloud vulnerabilities. Other companies like GitLab, Google, and Atlassian have all raised their top payouts for critical bug discoveries by as much as 50 percent.
Earlier this year, Intel also expanded its bug bounty program for researchers probing the security of firmware, hypervisors, GPUs, and more.