Business

Microsoft awarded $13.6 million to security researchers in the past 12 months

Published

3 years ago

July 10, 2021

Microsoft said it awarded more than $13.6 million as monetary rewards to security researchers through its public bug bounty programs over the past 12 months.

According to Microsoft:

The funds were awarded for 1,261 bugs reported by 341 security researchers across 17 bug bounty platforms between July 1, 2020 and June 30, 2021.
The highest awarded bounty was $200,000 for a vulnerability reported in Hyper-V, Microsoft’s OS virtualization technology.
The average bounty was more than $10,000 per valid bug report across all programs.
Most bug reports came from researchers residing in China, the US, and Israel.
The company said it plans to announce the 2021 Most Valuable Security Researcher next month.
The sum awarded this year is identical to what Microsoft reported one year ago when the company said it awarded $1 3 .7 million to 327 security researchers for 1,226 vulnerability reports across 15 bug bounty programs in the previous 12 months (July 1, 2019 to June 30, 2020).

Microsoft’s reported bug bounty payouts are the highest numbers reported by any vendor for yearly payouts.

Nonetheless, despite running the oldest and single biggest bug bounty program today, security researchers believe there are ways the company’s programs could be expanded further.

My view: unbelievable with such a big payout MSFT still:

– No love for Office research (msft revenue generator)
– No love for enterprise server-side research (hello, #proxylogon)
– No love for creative attack vector/surface research (in the spirit of hacking – go deeper) https://t.co/KiVDBmSaUB
— Haifei Li (@HaifeiLi) July 8, 2021