Microsoft is significantly expanding its bug bounty program to include open source and other third-party code, bringing all of its online services under the umbrella in a nod to the expanding attack surface that comes with cloud computing, AI, and other modern environments.

At the Black Hat Europe conference this week in London, the IT giant introduced its “Scope by Default” approach, making all of its online services – including third-party integration – automatically in-scope for security researchers and eligible for a bounty reward through the program.

The shift acknowledges the growing risks that come in through the software supply chain and the need to harden security and protections against threats from others’ commercial or open source components.

“In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services,” Tom Gallagher, vice president of engineering for Microsoft’s Security Response Center, wrote in a blog post. “They don’t care who owns the code they try to exploit. The same approach should apply to the security community who continues to partner with us to provide critical insights that help protect our customers. Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved.”

Supply Chain Threats

Supply chain attacks have been a growing concern in the industry for several years, with high-profile and far-reaching attacks involving software maker SolarWinds and the popular Log4j open-source Java logging library.

“They target the complex network of relationships between organizations and their suppliers, vendors, and third-party service providers,” Shmuel Gihon, research team leader at cybersecurity firm Cyberint, wrote in September. “These attacks exploit vulnerabilities that emerge due to the interconnected nature of digital supply chains, which often span multiple organizations, systems, and geographies.”

Gihon added that “by compromising a trusted component or software within the supply chain, malicious actors can infiltrate the target organization, circumventing traditional security defenses and catching victims off guard.”

React2Shell Illustrates the Risks

The latest example is the maximum-severity vulnerability disclosed last week in React Server Components (RSC) JavaScript library and the frameworks – like Next.js – that rely on it. Both RSC and Next.js are broadly used, and the React2Shell vulnerability is easily exploited; threat actors around the world are working to abuse the security flaw to launch attacks, from dropping backdoors and information-stealers to launching botnets and running reconnaissance probes.

React2Shell illustrates why Microsoft’s decision to expand the scope of its bug bounty program makes sense, according to Martin Jartelius, AI product director for cybersecurity vendor Outpost24.

Microsoft’s decision “is an important step, as it focuses on the full attack surface of an organization,” Jartelius said. “A very common security mistake is the careless use of scope, or rather, of what is included. As Mr. Gallagher notes, attackers do not care whether they gain access through React2Shell or a novel vulnerability in Microsoft components.”

Opening the Doors Wider

The focus of the bug bounty program in the past focused solely on eligible products or services, Gallagher wrote. Now, all online services will be included by default, with all new services in scope upon their release.

“If a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award,” he wrote. “Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue.”

Microsoft wants to encourage more research on high-risk areas, particularly those most likely to be exploited by cybercriminals.

“If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know, Gallagher wrote. “If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”

More Money for More Security

The company already pays a lot through the program and its Zero Day Quest live-hacking event, handing out more than $17 million last year. It will likely need to set aside more than that going forward, Outpost 24’s Jartelius said.

“Microsoft will likely find itself paying out more bounties for a while, but the resulting security improvements will ultimately be a cost-efficient way to strengthen the organization’s overall security posture,” he said.