Microsoft promises more bug payouts, with or without a bounty program

Critical vulnerabilities found in third-party applications eligible for award under 'in scope by default' move

by · The Register

Microsoft is overhauling its bug bounty program to reward exploit hunters for finding vulnerabilities across all its products and services, even those without established bounty schemes.

Tom Gallagher, VP of engineering at Microsoft Security Response Center (MSRC), told Black Hat Europe delegates yesterday that the company will adopt what it calls an "in scope by default" approach.

Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services.

"Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. "Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit."

The same class of vulnerability, and its severity, will attract the same monetary award in a third-party codebase as it would if it were found in one of Microsoft's products, he told The Register.

"Where no bounty programs exist, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft."

The move represents a shift in MSRC's bug bounties, which in the past have been prescriptive in terms of what type of bug warrants an award, and what products or services are eligible.

Gallagher said this "in scope by default" approach means that even new products and services are covered by bug bounties, including those without a dedicated program assigned to them at launch.

"The shift to an 'in scope by default' bounty model aims to strengthen our security posture amid an evolving threat landscape, especially across cloud and AI."

Microsoft says it paid more than $17 million in awards to researchers last year through its bug bounty program and Zero Day Quest competition, and expects to increase spending.

Belatedly, Microsoft launched its bug bounty program in 2013 after rejecting pressure to start one for years – a process head bounty lobbyist Katie Moussouris described as being like "boiling a frog."

While many researchers have financially benefited from Microsoft's bug bounty program since then, common gripes reported by those who aren't so lucky include slow response times and questionable triage conclusions.

Some frustrated experts have also gone to great lengths to make their feelings about the submission process known to MSRC. ®

UK finally vows to look at 35-year-old Computer Misuse Act: As Portugal gives researchers a pass under cybersecurity lawJoe Fay, 09 Dec 2025Researchers claim 'largest leak ever' after uncovering WhatsApp enumeration flaw: Two-day exploit opened up 3.5 billion users to myriad potential harmsConnor Jones, 19 Nov 2025Sneaky Mermaid attack in Microsoft 365 Copilot steals dataupdated: Redmond says it's fixed this particular indirect prompt injection vulnJessica Lyons, 24 Oct 2025Google declares AI bug hunting season open, sets a $30K max reward: Jailbreaks, direct prompt injection not allowedJessica Lyons, 07 Oct 2025