Microsoft expands its bug bounty program, increases payouts
How do you keep enterprising hackers from unloading exploits into the wild? Microsoft has been paying bounties to researchers who find and disclose security issues for a while. Now, it's expanded the program. At Black Hat, the company announced that it will double the size of payments it makes in its Bounty for Defense program, and it'll also be expanding the Online Services Bug Bounty to new areas of eligibility.
Let's say an exploit has been discovered in the wild, and Microsoft has mitigated (or patched) that exploit. If you can get around that mitigation, you have a submission for the company's Mitigation Bypass program, which could net you up to $100,000. Ideas for defending against further hacking efforts are eligible for the Bounty for Defense program, which has its own $100,000 maximum payout. Submissions that offer both a mitigation bypass and a defensive idea would receive both bounties. These bounties are only good for attacks on the latest version of Windows, so those of you interested in submitting your brilliant ideas need to cover Windows 10.
The Online Service Bug Bounties program has been expanded to include Azure Active Directory and the Microsoft Account service, in addition to Office 365 and the other Azure services that were previously eligible. The bounty for online service bugs has also been raised temporarily, from its normal $500-$15,000 to a maximum payout of $30,000 until October 5. You better get—ehrm—cracking.