Microsoft is just one of many technology firms that have a bounty program that offers financial rewards for anyone who discovers security flaws in its products and services. The company has just announced a huge expansion of the scheme so it even covers problems found in third party code.
Vice President of Engineering at Microsoft Security Response Center, Tom Gallagher, announced the broadened scope at Black Hat Europe. He stressed that “keeping our customers secure is our top priority”.
The change does not mean that Microsoft will pay out money for the discovery of literally any security flaw that is discovered, but if the problem affects its products and service – including online and AI – it does not matter whether the code in question is Microsoft’s or a third party’s.
Gallagher says:
Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit. Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.
The change is being referred to as In Scope by Default, and it marks an important shift in the approach to security. Microsoft says that the expansion should help to give clarity to researchers and ensures that we incentivize responsible research wherever its customers may be impacted.
Continuing, Gallagher says:
Last year, through our bug bounty program and live-hacking event, Zero Day Quest, we awarded more than $17 million for high-impact security research. The changes we are making today will expand award eligibility, especially for these key areas:
- Microsoft-owned domains and cloud services: Security researchers don’t have our insider perspective and are uniquely placed to think like an attacker. By working with us and following our rules of engagement, we can implement mitigations and protections that continually raise the bar against malicious attacks, adding an additional layer of security for our customers.
- Third-party code, including open source: If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know. If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.
As Microsoft and the security community work together, we follow the Rules of Engagement for Responsible Security Research to ensure customer data and privacy is protected. We expect researchers to understand these guidelines before they begin. They can then submit their findings for assessment and coordinated disclosure.
More details are available here.
Image credit: HJBC / depositphotos
