Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards

Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce. The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude.

The security landscape is constantly changing with emerging technology and new threats. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have continued to help us secure millions of customers. Microsoft is committed to continuing to enhance our Bug Bounty Programs and strengthening our partnership with the security research community. Over the past 12 months Microsoft awarded $13.7M in bounties, more than three times the $4.4M we awarded over the same period last year.

****What has changed in the past year?** **What has changed in the past year?****

We’re constantly evaluating the threat landscape to evolve our programs and listening to feedback from researchers to help make it easier to share their research. This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across 6 continents. In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic.

****New and Updated Bounty Programs** **New and Updated Bounty Programs****

• Microsoft Dynamics 365 Bounty Program, launched July 2019 NEW
• Azure Security Lab, launched August 2019 NEW
• Microsoft Edge on Chromium Bounty Program, launched August 2019 NEW
• Election Guard Bounty Program, launched October 2019 NEW
• Identity Bounty Program, updated October 2019
• Xbox Bounty Program, launched January 2020 NEW
• Azure Sphere Security Research Challenge, launched May 2020 NEW
• Windows Insider Preview Bounty Program, updated July 2020

****New Research Programs:** **New Research Programs:****

• Most Valuable Researcher Recognition Program, updated July 2019
• Security Researcher Quarterly Leaderboard, beginning August 2019
• Identity Research Grant, launched January 2020
• Microsoft Security AI RFP, launched in partnership with Microsoft Research March 2020
• Machine Learning Security Evasion Competition, launched in partnership with CUJO AI, VMRay, and MRG Effitas June 2020

Thank you to everyone who shared their research with Microsoft this year, and for their participation in Microsoft’s Bounty Programs. Millions of customers, and the broader ecosystem, are more secure thanks to their efforts.

Jarek Stanley, Lynn Miyashita, Sylvie Liu, and Chloé Brown
Microsoft Security Response Center