Microsoft launches security rewards program

Microsoft recently inaugurated a bounty program called "Microsoft Defender Bounty Program", with the aim of identifying and fixing vulnerabilities in products and services related to Microsoft Defender. The Redmond house promises sums of up to $20,000 for the most critical discoveries, starting the initiative with a focus on Microsoft Defender API endpoints, and then gradually extending it to other components of the Defender portfolio.

Description of relevant vulnerabilities

Researchers are encouraged to report significant vulnerabilities with potential direct impact on customer security. Various types of weaknesses fall within the scope of the program, including XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), SSRF (Server Side Request Forgery), cross-tenant data access or alteration, direct object references insecure, insecure deserialization, injection vulnerabilities, server-side code execution, and inadequate security configurations due to factors not attributable to the user.

Rewards for reporting vulnerabilities

Reports pertaining to Critical or Important vulnerabilities may result in rewards ranging from $500 to $20,000. In particular, high-quality reports describing Remote Code Execution (RCE) vulnerabilities will be favored. Microsoft reserves the right to increase the reward amount based on the severity of the vulnerability's impact and the quality of the submission.

Criteria for assigning rewards

A common feature of bounty programs is that, in the event of multiple reports on the same vulnerability, only the first one to be submitted will be considered for the reward. Importantly, the initiative is explicitly limited to technical vulnerabilities affecting Defender-related products and services. In the previous month, Microsoft kicked off a similar program focused on AI security, offering up to $15,000 for vulnerabilities found in the AI-powered "Bing" experience.