Bug bounty programs are a very efficient way of getting the wider security community involved in helping to protect a piece of software. In return for spending time trying to break through the security of any given system, you can earn some cash and a little bit of fame.
Microsoft isn’t new to the bug bounty game. Mitigation Bypass Bounty and Bounty for Defense programs have been running since 2013, and a Microsoft Edge bounty has been in place since August 2016. The latest bounties are really more of an expansion of what’s already in place and includes the Windows Insider Preview, Windows Defender Application Guard and Microsoft Hyper-V.
Rewards range anywhere from $500 right up to $250,000 for the most serious Hyper-V bugs. Hyper-V is Microsoft’s solution for running virtual machines and helps power the Azure cloud computing service, so you can see why Microsoft would like to identify and fix any vulnerabilities there quickly. In order to earn $250,000 you need to identify a vulnerability that qualifies as Remote Code Execution, Information Disclosure or a Denial of Service.
A nice additional feature of this bounty program is the 10 percent reward. If a bug is reported that Microsoft already discovered internally, the first finder will still receive 10 percent of the qualifying reward. So if they found a vulnerability worth $250,000, which Microsoft already knows about internally, they’ll still receive $25,000.
Taken as a whole, Microsoft is clearly very keen to ensure its core products of Windows 10, Windows Server, the Edge browser and Windows Defender are as secure as possible. And with the rate at which new threats appear, it would be almost impossible to keep up relying solely on an internal security team at Microsoft.