Microsoft has paid out a total of $13.7m (£11.3m, €13.3m) in bug bounties over the past 12 months, with 330 researchers from 46 countries acknowledged for their assistance in discovering and reporting a total of 1,091 valid vulnerabilities in Redmond’s products across 17 different bug bounty programmes.
Vulnerabilities in Microsoft’s wares are particularly valuable to threat actors due to the ubiquitous nature of its products in the modern enterprise – Microsoft frequently finds itself dealing with high-profile incidents such as PrintNightmare or ProxyLogon, and its monthly Patch Tuesday drop is a must-watch event for security professionals.
On this basis, bug bounties paid out by Microsoft tend to be higher, with the average payout made through its programme coming it at $12,000, substantially above the general average of $3,000, as reported by bug bounty specialist HackerOne.
The largest payment made by Microsoft in the past year was a massive $200,000 under the Hyper-V programme, for an undisclosed vulnerability.
Broken out by geography, Microsoft’s data reveal the majority of the ethical hackers working through its programmes are located in China, India and the US, ahead of Australia, Canada, Germany and the UK.
Microsoft’s Lynne Miyashita and Madeline Eckert wrote: “We believe partnerships with the global security research community are an essential part of protecting customers, and we will continue to invest in and evolve our bounty programmes as a part of strengthening these partnerships. Thank you to all the researchers who shared their research with Microsoft this year to help secure millions of Microsoft customers.”
In the past year, Microsoft has poured focus into evolving its programmes and partnerships in response to the changing threat landscape, they added, particularly as it relates to cloud-based products and services. “A key element of this maturing process is listening to feedback from researchers to remove barriers to entry and better facilitate research efforts,” they said.
“This year, we introduced a research challenge and new high-impact attack scenarios across many of our programmes to award research focused on the most critical areas to customer security.
“The addition of these attack scenarios to our Azure, Dynamics 365 and Power Platform, and M365 bounty programmes helps to focus research on the highest impact cloud vulnerabilities including areas like Azure Synapse Analytics, Key Vault, and Azure Kubernetes Services.”
Meanwhile, the high-impact and valuable work of ethical hackers was on display this week at Black Hat USA in Las Vegas, where crowdsourced bug specialist Bugcrowd ran its first in-person, live hacking event since the Covid-19 pandemic began, on behalf of Indeed.com, a job-search platform.
Bugcrowd’s Vegas Bug Bash connected Indeed.com with ethical hackers to test out its business-critical attack surfaces and mobile applications, uncovering potentially dangerous security blind spots, and improving testing methodologies at the same time.
Indeed is a long-standing customer of Bugcrowd, and has already rewarded more than 1,500 valid vulnerability submissions. The firm’s chief information security officer (CISO) Anthony Moisant said: “At Indeed, job seekers and employers alike trust us to protect their information. As we continue rapid growth and product development, we all know that bad actors continue advancing their tactics.
“By engaging Bugcrowd researchers in this Bug Bash, we’re partnering with good actors to help spot – and fix – vulnerabilities to help people get jobs securely.”
“We are excited about this latest Bug Bash because working in teams showcases the power of human ingenuity, and we want to congratulate Indeed on being a security-first company looking to further ensure their digital assets are secure,” said Ashish Gupta, Bugcrowd CEO.
“With the sprawling digitisation of information and assets, and the resulting increase in cyber threats, business leaders need to adopt continuous testing practices that align with their continuous innovation.”