Microsoft is overhauling its bug bounty program to reward exploit hunters for finding vulnerabilities across all its products and services, even those without established bounty schemes.
Tom Gallagher, VP of engineering at Microsoft Security Response Center (MSRC), told Black Hat Europe delegates yesterday that the company will adopt what it calls an "in scope by default" approach.
Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services.
"Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. "Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit."
The same class of vulnerability, and its severity, will attract the same monetary award in a third-party codebase as it would if it were found in one of Microsoft's products, he told The Register.
"Where no bounty programs exist, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft."
The move represents a shift in MSRC's bug bounties, which in the past have been prescriptive in terms of what type of bug warrants an award, and what products or services are eligible.
Gallagher said this "in scope by default" approach means that even new products and services are covered by buy bounties, including those without a dedicated program assigned to them at launch.
"The shift to an 'in scope by default' bounty model aims to strengthen our security posture amid an evolving threat landscape, especially across cloud and AI."
Microsoft says it paid more than $17 million in awards to researchers last year through its bug bounty program and Zero Day Quest competition, and expects to increase spending.
Belatedly, Microsoft launched its bug bounty program in 2013 after rejecting pressure to start one for years - a process head bounty lobbyist Katie Moussouris described as being like "boiling a frog."
While many researchers have financially benefited from Microsoft's bug bounty program since then, common gripes reported by those who aren't so lucky include slow response times and questionable triage conclusions.
Some frustrated experts have also gone to great lengths to make their feelings about the submission process known to MSRC. ®
Dentists least likely to get an LLM kick in the teeth
Beleaguered country, unfortunately, has plenty of data from its conflict
After Microsoft, Google, and a long fight for automation, Jeffrey Snover hangs up his keyboard
Project kind-of worked but left a lot of messes for humans to clean up
GSA trumpets 64% discounts on Broadcom's VMware portfolio, core vSphere platform mysteriously absent from agreement
Veteran text editor gets more AI enhancements while Paint will be able to generate coloring books
Professor Mark Girolami keeps seat warm after Jean Innes bailed following ministerial arm-twisting