Microsoft awarded $13.6 million to security researchers in the past 12 months
Microsoft said it awarded more than $13.6 million as monetary rewards to security researchers through its public bug bounty programs over the past 12 months.
- The funds were awarded for 1,261 bugs reported by 341 security researchers across 17 bug bounty platforms between July 1, 2020 and June 30, 2021.
- The highest awarded bounty was $200,000 for a vulnerability reported in Hyper-V, Microsoft's OS virtualization technology.
- The average bounty was more than $10,000 per valid bug report across all programs.
- Most bug reports came from researchers residing in China, the US, and Israel.
- The company said it plans to announce the 2021 Most Valuable Security Researcher next month.
- The sum awarded this year is identical to what Microsoft reported one year ago when the company said it awarded $13.7 million to 327 security researchers for 1,226 vulnerability reports across 15 bug bounty programs in the previous 12 months (July 1, 2019 to June 30, 2020).
Microsoft's reported bug bounty payouts are the highest numbers reported by any vendor for yearly payouts.
Nonetheless, despite running the oldest and single biggest bug bounty program today, security researchers believe there are ways the company's programs could be expanded further.
My view: unbelievable with such a big payout MSFT still:
— Haifei Li (@HaifeiLi) July 8, 2021
- No love for Office research (msft revenue generator)
- No love for enterprise server-side research (hello, #proxylogon)
- No love for creative attack vector/surface research (in the spirit of hacking - go deeper) https://t.co/KiVDBmSaUB
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.