Microsoft on Monday announced that it has paid out $63 million in rewards to the security researchers participating in its bug bounty programs.
The tech giant launched its first bug bounty programs in 2013, when it was accepting reports of exploitation techniques in Windows 8.1 and flaws in the preview version of Internet Explorer 11.
Initially, Microsoft was receiving less than 100 reports annually, from the few dozen researchers who were participating. The company was paying a few hundred dollars in rewards annually.
Now, the company is running 17 bug bounty programs covering Azure, Edge, Microsoft 365, Windows, Xbox, and more, with rewards of up to $250,000 offered for high-impact bugs in the Hyper-V hypervisor.
According to Microsoft, thousands of security researchers from 70 countries are now receiving bug bounties. Students, academics, and full-time cybersecurity professionals are also participating in the company’s bug bounty programs.
Of the total $63 million handed out since 2013, $60 million were paid over the past five years, the company says. Starting 2020, Microsoft has been handing out more than $13 million annually to roughly 300 researchers.
“The data from the programs is a critical part of arming product and security teams across the company to deliver broader security improvements and mitigations beyond one-off bug fixes,” Microsoft says.
Since 2013, Microsoft has changed its bug bounty rewards policies several times, to offer monetary payments even for bugs that had already been discovered internally, and to make it clearer for researchers what vulnerability reports are eligible.
The award amounts were increased as well, concentrating on flaws with increased customer impact, and patching times have been shortened, the tech giant says.
“Today, incentives and partnership are baked into our company’s vulnerability disclosure program. Every report that is triaged, assessed, and fixed is reviewed for potential bounty eligibility. There is no need to register, no need to sign up, everyone is invited,” the company notes.