Microsoft awarded $13.6 million to security researchers in the past 12 months
Image: Microsoft
Catalin Cimpanu July 8, 2021

Microsoft awarded $13.6 million to security researchers in the past 12 months

Microsoft awarded $13.6 million to security researchers in the past 12 months

Microsoft said it awarded more than $13.6 million as monetary rewards to security researchers through its public bug bounty programs over the past 12 months.

According to Microsoft:

  • The funds were awarded for 1,261 bugs reported by 341 security researchers across 17 bug bounty platforms between July 1, 2020 and June 30, 2021.
  • The highest awarded bounty was $200,000 for a vulnerability reported in Hyper-V, Microsoft’s OS virtualization technology.
  • The average bounty was more than $10,000 per valid bug report across all programs.
  • Most bug reports came from researchers residing in China, the US, and Israel.
  • The company said it plans to announce the 2021 Most Valuable Security Researcher next month.
  • The sum awarded this year is identical to what Microsoft reported one year ago when the company said it awarded $13.7 million to 327 security researchers for 1,226 vulnerability reports across 15 bug bounty programs in the previous 12 months (July 1, 2019 to June 30, 2020).

Microsoft’s reported bug bounty payouts are the highest numbers reported by any vendor for yearly payouts.

Nonetheless, despite running the oldest and single biggest bug bounty program today, security researchers believe there are ways the company’s programs could be expanded further.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.