Microsoft expands bug bounty scheme to include third-party software
The company is to offer bug bounty awards for people who report security vulnerabilities in third-party and open source software impacting Microsoft services
Microsoft is to expand its bug bounty scheme to reward people for finding high-risk security vulnerabilities that could impact the security of Microsoft’s online services.
The company is extending its reward programme to cover vulnerabilities in software that could affect services provided by the company, irrespective of whether it is owned and managed by Microsoft.
Microsoft awarded more than $17m to security researchers through its bug bounty programmes and live hacking events this past year, and expects to offer more in 2026.
The Redmond-based company said the programme, dubbed “in scope by default”, will extend its bug bounty scheme to include serious vulnerabilities that affect Microsoft cloud services.
It will offer bounties for third-party and open source code in cases where there is no existing bug bounty programme available, if they have an impact on Microsoft’s online products.
Microsoft claimed it “would do whatever it takes” to ensure that bugs in open source and third-party software are fixed. “This could be writing patches or offering support to help the code owner address,” it said. “The level of support will depend on what is needed on a case-by-case basis.”
Until now, Microsoft has focused its vulnerability research on product-focused bug bounty programmes.
The new bounty programme will take a “holistic approach”, reflecting the ways that hostile hackers find to attack systems, which often involves finding vulnerabilities between the boundaries of different software products.
Tom Gallagher, vice-president for Microsoft Security Response Centre, said the change will ensure there are stronger protections against vulnerabilities in supply chains that can be used by attackers to “pivot” into high-value targets.
Microsoft’s approach is to use bug reports, not simply for the sake of fixing bugs, but as a red flag to identify areas where Microsoft may need to devote additional security resources, he told Computer Weekly.
Microsoft has been criticised by security researchers for “unacceptable delays” in fixing serious vulnerabilities in its Azure cloud platform and for botching one security patch that was later exploited by Chinese spies.
Gallagher said the company had become more transparent about security over the past 12 months. This includes posting CVE reports about software vulnerabilities discovered in its cloud services, which were previously not publicly disclosed as they were automatically patched by Microsoft.
“Microsoft was the first cloud provider to say, hey, if there is a critical issue in the cloud, even if you don’t need to patch it, we are going to issue that CVE,” he said. “And we do that for issues that security researchers report.”
About half of the CVEs are discovered by Microsoft’s own security specialists.
The value of vulnerabilities
The company takes several factors into account when deciding how much to pay out for a vulnerability, and will offer more to encourage people to look for bugs in key areas.
Microsoft’s Hyper V, a tool used to isolate virtual machines in Windows and on Microsoft Azure, is a priority, attracting up to a quarter of a million dollars for one vulnerability.
Gallagher told Computer Weekly that since he joined Microsoft in 1999, it has become much harder for security researchers and bad actors to find security vulnerabilities in Microsoft software.
“In a modern system, you are going to have to work pretty hard to find that initial bug, and in order to build a full exploit, you will often need a chain of vulnerabilities that are perfectly aligned,” he said.
Using AI to find bugs
The company is also looking at how artificial intelligence (AI) can be used to automate the finding of vulnerabilities. “It is in the very early stages,” said Gallagher. “It’s looking very fruitful, and I am excited about that.”
He said AI can be trained to understand complex systems and will be able to find vulnerabilities at a scale that humans cannot match.
“For a company like us, its super valuable because we can find a bunch of issues very quickly,” said Gallagher. “You can also imagine bringing it to the next step where you are also using it to fix issues and to mitigate issues.”
He added that in the future, there will be more focus on probing the security of large language model AI systems. Unlike traditional security vulnerability research, that will not necessarily need people with strong technical skills.
“If you are a good con man, or a social engineer, or you are just savvy with how to talk to someone, you don’t need to have that technical expertise,” said Gallagher.
He added that Microsoft runs programmes to encourage security researchers to go bug hunting and develop the skills of young people interested in security vulnerability research.
They include a series of Blue Hat conferences in Redmond, Israel and India, for people who are starting out careers in security research. “We want to bring them in early and help them understand how they can leverage some of those basic skills,” said Gallagher.
Read more on Business applications
Why bug bounty schemes have not led to secure software
By: Bill Goodwin
Microsoft to offer hackers millions in Zero Day Quest event
By: Alexander Culafi
Salesforce helps customers establish bug bounty programmes
By: Alex Scroxton
Salesforce’s bug bounty programme paid out $3m in 2023
By: Alex Scroxton
