Microsoft expands Bug Bounty programs, increases rewards

Microsoft is continually tweaking its Bug Bounty programs, and the latest step in this evolution has been announced on Wednesday at Black Hat USA 2015.

“We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD,” Jason Shirk of the Microsoft Security Response Center noted, and explained that the company is eager to “reward the novel defender equally for their research.”

The Online Services bug bounty has also been expanded to include vulnerabilities in RemoteApp, the solution that lets users run Windows apps hosted in Azure anywhere, and on a variety of devices (Windows, Mac OS X, iOS, or Android).

Researchers who discover and responsibly disclose authentication vulnerabilities in Microsoft Account (MSA) and Azure Active Directory (AAD) from now until October 5, 2015, will receive twice the normal payout. It can now reach as high as $30,000 – previous reward amounts varied between $500 and $15,000.

“These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” Shirk added.

The company is currently running an onsite contest at the Black Hat conference, and has invited researchers to come and try to poke holes in Microsoft Account authentication.