Microsoft has announced a number of improvements in its bounty programs to better serve the security research community.
In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies.
As of January 2019, the Cloud, Windows, and Azure DevOps programs now award bounties upon completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined. Shortening the time from submission to award determination mean bounty rewards will reach researchers faster.
Microsoft is partnering with HackerOne for bounty payment processing and support to deliver bounty awards with more options like PayPal, crypto currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations. Additionally, Microsoft bounty awards processed through HackerOne will contribute to a researcher's overall reputation score on the HackerOne platform.
Vulnerability reports should still be sent to the Microsoft Security Response Center directly at firstname.lastname@example.org.
Microsoft is rewarding more for vulnerability reports in multiple bounty programs; in January 2019 the company raised top award levels from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services. Microsoft has also expanded the scope of the Cloud bounty and promises to continue to expand scope and rewards across its programs throughout the year.
Historically, external reports of internally known vulnerabilities were rewarded 10% of the eligible bounty award as the report did not inform Microsoft of a new and previously unknown issue. By updating Microsoft's policy on duplicate submissions, the first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known. There is no change to Microsoft's policy regarding duplicate external reports of the same vulnerability.