Microsoft has launched a new initiative to encourage and reward security researchers who find and report vulnerabilities in its Microsoft Defender products and services. The Microsoft Defender Bounty Program offers monetary rewards ranging from $500 to $20,000, depending on the severity, impact, and quality of the reported vulnerability. Microsoft reserves the right to adjust the reward amount at its discretion.
The program aims to attract high-quality reports of critical security issues that could compromise the integrity, availability, or confidentiality of Microsoft Defender. The most lucrative reward is reserved for remote code execution vulnerabilities, which allow attackers to execute arbitrary code on the target system. These types of vulnerabilities pose a serious threat to the security of Microsoft Defender and its users.
The scope of the program is currently limited to Microsoft Defender for Endpoint APIs, which are interfaces that allow developers to interact with the Defender platform. However, Microsoft plans to extend the program to cover other Defender products and services in the future, such as Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud.
The program is open to security researchers from all over the world, who are invited to join the Microsoft Security Response Center (MSRC) in identifying and fixing vulnerabilities in Defender products and services. MSRC Senior Program Manager Madeline Eckert said, “The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team. Microsoft’s Bug Bounty programs represent one of the many ways we invest in partnerships with the global security research community to help secure Microsoft customers.”
The program covers a wide range of security vulnerabilities, including:
- Cross-site scripting (XSS), which allows attackers to inject malicious scripts into web pages.
- Cross-site request forgery (CSRF), which allows attackers to trick users into performing unwanted actions on a web site.
- Server-side request forgery (SSRF), which allows attackers to make requests to internal or external resources from the server.
- Cross-tenant data tampering or access, which allows attackers to modify or access data belonging to other tenants or users.
- Insecure direct object references, which allow attackers to access objects that they are not authorized to access.
- Insecure deserialization, which allows attackers to execute malicious code by manipulating serialized data.
- Injection vulnerabilities, which allow attackers to execute malicious commands or queries by injecting them into user input.
- Server-side code execution, which allows attackers to execute arbitrary code on the server.
- Significant security misconfiguration, which allows attackers to exploit insecure settings or features that are not caused by the user.
- Using components with known vulnerabilities, which requires a full proof of concept of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.
The program follows Microsoft’s guidelines for bug bounty programs, which state that the bounty will be awarded to the first valid submission of a vulnerability. If multiple researchers report the same vulnerability, only the first one will receive the reward. Additionally, if a submission qualifies for more than one bounty program, the researcher will receive the highest single payout from one program. For more information about the program, researchers can refer to the FAQ page.
The Microsoft Defender Bounty Program is part of Microsoft’s broader effort to foster a culture of security and collaboration with the security research community. Microsoft also announced that it paid a total of $58.9 million in rewards to 1,147 security researchers worldwide who reported 446 eligible vulnerabilities across 22 bug bounty programs in the past year. This is a significant increase from the previous year, when Microsoft paid $13.6 million to 327 researchers who reported 357 vulnerabilities.
One of the latest additions to Microsoft’s bug bounty programs is the AI Bounty Program, which focuses on the AI-driven Bing experience. The program rewards researchers who find and report vulnerabilities in Bing’s AI features, such as image search, video search, visual skills, and conversational skills. The rewards range from $500 to $15,000, depending on the severity and impact of the vulnerability. The program aims to improve the security and reliability of Bing’s AI capabilities, which are used by millions of users every day.