Microsoft over the past decade has doled out more than $60 million rewards to researchers who have found various security flaws in its software and is now ready to pay out some more.

The IT and cloud services giant this week noted the 10-year anniversary of a bug program that initially focused on vulnerabilities in Windows 8.1 and Internet Explorer 11. A day later, Microsoft announced a new program that will pay up to $20,000 rewards for finding bugs in the myriad of products that make up its Defender security brand.

“The goal of the Defender Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft’s Security Research Center (MSRC) wrote in the announcement. “The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs, and will expand to include other products in the Defender brand over time.”

The rewards will range from $500 to $20,000, though even that could rise if Microsoft determines the vulnerability found is severe enough to cause a lot of damage. The program is looking for a range of flaws, from remote code execution (RCE) and elevation of privilege to information disclosure, spoofing, tampering, and denial of service.

More information about the new program can be found here.

A Taste for Bug Bounties

It shouldn’t come as a surprise that Microsoft is rolling out another bug bounty program. The company already has almost two dozen of them in place for offerings like Microsoft 365, Azure, Azure DevOps, Identity, and Microsoft Dynamics 365. There also are programs for Windows and Xbox, among others.

In the past five years, the company has paid $58.9 million to 1,117 researchers around the world, with the largest reward being $200,000.

In addition, the company last month launched another bug bounty program that pays between $2,000 and $15,000 for vulnerabilities found in its AI-powered Bing family, including browser iterations, Bing Chat, Bing Chat for Enterprise, and Big Image Creator. It also covers AI-based Bing integration in the Windows Edge browser and in Microsoft’s Start and Skype Mobile applications in both iOS and Android devices.

Given how rapidly Microsoft is innovating around AI and adopting AI technologies from OpenAI – in which it has invested at least $10 billion – aiming bug bounty hunters at products and services driven by the advanced technology makes sense.

It was a Rough Start

That said, Microsoft hasn’t always been a fan of paying researchers for finding flaws in its products. Before launching Luta Security in 2016, Katie Moussouris spent seven years with Microsoft, including the last three years as senior security strategist lead. It was during that time that Moussouris pitched the idea of a bug bounty program.

It didn’t go over well. Microsoft was like other tech companies and governments in pushing back at the idea. Three years before launching the first bug bounty program, Microsoft officials publicly said they would never pay researchers for finding bugs. Why would they when hundreds of thousands of reports were coming in from researchers every year for free?

She kept pushing, making financial and other arguments in favor of such programs and getting nowhere.

“Finally, I found a crack in the corporate resistance to bug bounties – external deadlines,” Moussouris wrote in a blog post noting the anniversary. “So, Trustworthy Computing leadership gave me a task to prove: show them when more bugs were being reported via brokers with disclosure deadlines than were coming in directly from security researchers, and they would start paying bug bounties for direct reporting of bugs.”

It took two years, but the first program launched in June 2013.

Always Evolving

“Although not pioneers in offering monetary incentives for external parties to report software security vulnerabilities, we were among the first to incentivize the discovery of issues in beta or preview products,” Aanchal Gupta, corporate vice president and deputy CISO at Microsoft, wrote in a blog post. “Our belief was that early identification and resolution of bugs, preferably before the product’s general release, is paramount in customer protection.”

Microsoft revamped its various bug bounty program in 2019, including increasing rewards by as much as 10 times the industry average, created clear and public guidelines, and focused the programs on four key factors: vulnerability severity, security impact, the affected product, and how complete the researcher’s report is. The vendor also shortened the payout time from submission to award to less than 30 days.

“In July 2020, we introduced scenario-based categories with higher awards, up to $100,000 for vulnerabilities posing serious risks to customer privacy and security,” Gupta wrote. “Researchers rallied, increasing the number of zero-click Remote Code Execution (RCE) or cross-tenant vulnerabilities found by more than 50% year-over-year.”

Bug bounty programs are now a fairly common tool at organizations as well as government agencies, including the Defense Department. Such programs give the companies and agencies a better understanding of their attack surfaces and the chance to develop mitigations that can harden that surface, she wrote.

It can be lucrative for the bounty hunters. HackerOne in October said it has paid out more than $300 million to ethical hackers, with 30 earning more than $1 million and one surpassing the $4 million mark.

That said, even some threat groups are looking to outside researchers to help find security problems with their code. The notorious LockBit ransomware group announced that along with a new version of its malware, it was launching a bug bounty program that would pay security researchers and hackers – both ethical and unethical — $1,000 to $1 million to sniff out and report vulnerabilities.