Microsoft paying a bug bounty of $30,000

First off, I have to issue something of a correction regarding last week’s blog post on Intel price cuts. As it turns out, I have been informed that Intel didn’t cut the prices, Micro Center cut them as a loss leader, something it frequently does. It doesn’t change the bargain prices, just the motivation. So, I wanted to set the record straight on that. 

Onward. Microsoft is looking for a few good bugs. And people who will keep it quiet. 

OK, so I have no evidence of direct causality, but it seems convenient. Over the past few weeks, Google has embarrassed Microsoft twice by publicly disclosing security vulnerabilities in Windows 10 that still have not been patched after 90 days. Google has no mercy with its Zero Day disclosures and plays no favorites. Any company that does not fix a bug by 90 days after Google informs them of it will be hung out to dry. 

So, it seems suspect that Microsoft has doubled their bug bounty for a limited period to up to $30,000 if researchers find a serious bug in certain Microsoft services. The bounty runs from March 1 to May 31, 2017.

Of course, finding the bugs isn’t the problem. Google keeps finding them. The problem is getting Microsoft to fix them. But that’s another story. 

Controlling the bug process

Having bugs found by researchers and paid by Microsoft would give the company a little more control over the process, rather than have their hand forced by Google. And presumably Microsoft will NDA the hell out of the researcher so they don’t blab to the whole internet about what they found. 

Microsoft is offering rewards for services on the following domains:


The total list includes 18 domains and 37 eligible endpoints covered by the standard bug bounty.

Microsoft wants researchers to look for nine different types of bugs, including: 

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection vulnerabilities
  • Authentication vulnerabilities
  • Server-side code execution
  • Privilege escalation
  • Significant security misconfiguration (when not caused by user)

Of course, bug hunters can always sell their findings on the darknet to criminal organizations that specialize in malware creation for a whole lot more money. That would also be very illegal.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.


Leave a Reply