A couple of days on from the official release of Windows 10, Microsoft has raised the rewards for some of its bug bounty programs, which it hopes will help keep its systems more secure.
Most notably Microsoft has doubled the maximum fees for the Bounty for Defense from $50,000 to $100,000. It has also extended its Online Services Bug Bounty to include authentication vulnerabilities, where discoveries are now eligible for a double payment.
Microsoft said the changes came in response to feedback from the security research community. The company made the announcement at last week’s Black Hat cybersecurity conference in Las Vegas, which it called “part of the rigorous security programs at Microsoft.”
Many tech and software companies run bug bounty programs to entice ethical hackers to disclose any bugs or vulnerabilities in their software to the company in exchange for a cash reward, rather than go public with the information.
Oftentimes hackers have to meet strict criteria in order to claim their prize, like agreeing to not disclose any information about the bug before telling the company or rigorously proving the dangers of their findings if they want to get paid.
Microsoft has been steadily expanding its bug bounties over the years. In April of this year, it introduced programs covering Microsoft Azure and a bounty for the preview of Microsoft Edge ahead of its release.
Bug bounty rewards can vary wildly from company to company. Yahoo for example has smaller rewards going for around $100, while their maximum rewards can hit $20,000. United Airlines offers flight miles to researchers. Mozilla meanwhile pays up to $10,000 for “novel” vulnerabilities and exploits depending on how rare or dangerous the bug is.
- Intel opens bug hunt to all security researchers, offers possible $250K payout
- Microsoft will pay you up to $250,000 to find Spectre-like flaws
- Microsoft misses another Edge-related 90-day security disclosure deadline
- Researchers defend the Ryzenfall disclosure, explain why exploits are dangerous
- Did I do that? Intel is going to make a killing fixing its own Meltdown