A Microsoft announced that, over the last decade, it has paid out $63 million in rewards to security researchers who participate in its bug bounty programs.
The first bug bounty programs were launched by Big Tech in 2013, when it accepted reports of exploit techniques in Windows 8.1 and flaws in the preview version of Internet Explorer 11.
Initially, the company received less than one hundred reports annually, carried out by a few dozen participating researchers. At the time, Microsoft paid a few hundred dollars in rewards per year.
Microsoft currently has 17 bug bounty programs covering Azure, Edge, Microsoft 365, Windows, Xbox, and more. The rewards range up to $250, an amount offered for high-impact bugs in the Hyper-V hypervisor.
Thousands of security researchers from 70 countries are being rewarded for discovering and reporting bugs, according to the company. Full-time students, academics and cybersecurity professionals also participate in these programs.
Of the total of 63 million dollars distributed since 2013, 60 million were paid in the last five years, reveals Microsoft. As of 2020, the company has distributed more than $13 million per year to nearly 300 researchers.
“Program data is a critical part of equipping product and security teams across the enterprise to deliver broader security improvements and mitigations, as well as point-in-time bug fixes.”, says Microsoft.
Since 2013, Microsoft has changed its bug bounty policies several times to offer payments even for bugs that had already been discovered internally and to clarify for researchers which vulnerability reports are eligible.
“Today, incentives and partnerships are included in our company’s vulnerability disclosure program”, she adds. “Every report that is taken, evaluated and corrected is reviewed for potential eligibility for rewards. No need to register, no need to sign up, everyone is invited”.
