Microsoft on Monday introduced that it has paid out $63 million in rewards to the security researchers taking part in its bug bounty applications.
The tech large launched its first bug bounty applications in 2013, when it was accepting studies of exploitation methods in Home windows 8.1 and flaws within the preview model of Web Explorer 11.
Initially, Microsoft was receiving lower than 100 studies yearly, from the few dozen researchers who have been taking part. The corporate was paying just a few hundred {dollars} in rewards yearly.
Now, the corporate is working 17 bug bounty applications overlaying Azure, Edge, Microsoft 365, Home windows, Xbox, and extra, with rewards of as much as $250,000 provided for high-impact bugs within the Hyper-V hypervisor.
In response to Microsoft, hundreds of security researchers from 70 international locations at the moment are receiving bug bounties. College students, lecturers, and full-time cybersecurity professionals are additionally taking part within the firm’s bug bounty applications.
Of the overall $63 million handed out since 2013, $60 million have been paid over the previous 5 years, the corporate says. Beginning 2020, Microsoft has been handing out greater than $13 million yearly to roughly 300 researchers.
“The information from the applications is a vital a part of arming product and security groups throughout the corporate to ship broader security enhancements and mitigations past one-off bug fixes,” Microsoft says.
Since 2013, Microsoft has modified its bug bounty rewards insurance policies a number of occasions, to supply financial funds even for bugs that had already been found internally, and to make it clearer for researchers what vulnerability studies are eligible.
The award quantities have been elevated as effectively, concentrating on flaws with elevated buyer influence, and patching occasions have been shortened, the tech large says.
“Right now, incentives and partnership are baked into our firm’s vulnerability disclosure program. Each report that’s triaged, assessed, and glued is reviewed for potential bounty eligibility. There isn’t a have to register, no want to enroll, everyone seems to be invited,” the corporate notes.
