Microsoft: Our bug bounty payouts hit $2m in 2018 and we're offering more in 2019

Microsoft hands off bug-bounty payments to HackerOne but not Microsoft security-flaw submissions.

Microsoft flaws were hackers' target of choice in 2018 But one simple thing could help stop the vast majority of these attacks, say researchers.

Microsoft is overhauling the Microsoft Bounty Program after awarding external security researchers over $2m in 2018. 

The Redmond tech giant is handing off the payment-processing part of its bug bounty to HackerOne and promises that the partnership will mean faster bounty payments and more payment options, including PayPal, crypto currency, and direct bank transfers in over 30 currencies.

"Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen quickly," said Jarek Stanley of the Microsoft Security Response Center.     

The tie-up means Microsoft rewards will contribute to researchers' ranking on HackerOne. However, Microsoft is retaining control over all other aspects of the program, such as receiving reports, triaging bugs, and determining the value of a payout. 

SEE: 30 things you should never do in Microsoft Office (free PDF)

Stanley warns researchers strictly not to send bug reports about Microsoft products to HackerOne. Doing so would seriously violate Microsoft's bug-bounty terms, which prevent researchers from sharing bug details with third parties. 

HackerOne will not receive any details about bugs from Microsoft beyond the award amount, case number, and case severity. More details are available on Microsoft's bug-bounty FAQ page.  

Microsoft is also speeding up payments for the Cloud, Windows, and Azure DevOps programs by paying researchers once it has reproduced and assessed a submission, rather than waiting until the final fix has been determined. 

There's also now a more generous policy on external researchers reporting duplicate bugs that Microsoft already is aware of. Previously, it only offered reporters 10 percent of the normal reward. However, now the first researcher who reports a duplicate that's already known within Microsoft will get the full bounty reward.   

The policy remains the same for duplicate reports from external parties where the bounty is granted to the first eligible submission.

Finally, Microsoft is increasing the scope of existing programs. As of January, the top payout for the Windows Insider Preview program is $50,000, up from $15,000, while the Microsoft Cloud Bounty now tops out at $20,000, up from $15,000.  

Microsoft has been gradually ratcheting up rewards and expanding the scope of bounties. The top-paying bounty is the Microsoft Mitigation Bypass Bounty and Bounty for Defense Program, which offers rewards of up to $100,000 for mitigation bypass and up to $100,000 for defensive techniques. 

However, the company's $2m milestone still places it behind Google's sprawling bug-bounty programs, which resulted in payments to external researchers of $3.4m in 2018.  

Microsoft-owned code hosting site GitHub also recently updated its bug-bounty policies with new legal safe harbor terms with a commitment not to sue researchers if they violate GitHub's site terms so long as their actions are specifically for bug-bounty research.

More on bug bounties and Microsoft