Bug bounties: Here's how much Microsoft paid out to security researchers last year

Microsoft's bug bounty payments have flattened out but still remain large.
Written by Liam Tung, Contributing Writer

Microsoft has revealed it awarded 341 researchers a total of $13.6 million during the past year for reporting security vulnerabilities in its bug bounty programs

The awards were issued between July 1, 2020 and June 30, 2021 and is slightly less than what it paid out in 2019. That year, Microsoft tripled the awards from the previous year. 

The largest award was $200,000 under the Hyper-V Bounty Program, Microsoft's program for its virtualization layer on Windows 10, Windows Server 2016, and containers for running Windows and Linux applications in the cloud. 

SEE: Network security policy (TechRepublic Premium)

"With an average of more than $10,000 USD per award across all programs, each of the over 1,200 eligible reports reflect the talent and creativity of the global security research community and their invaluable partnership in addressing the challenges of a constantly changing security environment," the Microsoft Security Response Center (MSRC) said in a blogpost

Microsoft has launched some new bug bounties this year, including one for Microsoft Teams with awards up to $30,000 for critical bug reports. The other bounty is aimed at a potential future post-quantum cryptography standard called Supersingular Isogeny Key Encapsulation (SIKE)

Microsoft currently has 17 bug bounty programs available for researchers to earn rewards. The Hyper-V program offers the largest possible award of up to $250,000. 

The Microsoft Identity bounty is also important, covering Microsoft Account, Azure Active Directory, or select OpenID standards. The top payout is $100,000. 

Some individual security researchers can earn significant sums – even millions – from bug bounty programs.

Editorial standards