Sharing the great news that this year the Microsoft Rewards Program has granted $16.6 million in rewards to 343 security analysts from 55 different nations, ensuring the protection of Microsoft customers in collaboration with the Microsoft Security Response Center (MSRC). Annually, we identify numerous potential security threats, collectively safeguarding our customers from potential risks through the Microsoft Rewards Program.

The Microsoft Rewards Program plays a vital role in our proactive strategy of incentivized research programs, engaging the external research community to collaborate and shield our customers from security risks. These programs motivate analysts to reveal vulnerabilities in critical attack surfaces, enabling Microsoft to strengthen our products in an ever-changing security environment, now inclusive of Artificial Intelligence. By adhering to Coordinated Vulnerability Disclosure, security researchers significantly contribute to enhancing the security that millions of Microsoft customers and users depend on daily.

Our initiatives encompass a broad array of products and services, such as Azure, Edge, M365, Dynamics 365, Power Platform, Windows, and Xbox, each with specific guidelines to ensure effective and secure research. Every program has its distinct scope, eligibility requirements, award spectrum, and submission protocols to direct analysts in conducting impactful research without unintended repercussions. These guidelines are customized to the unique threat model of each product or domain. For detailed insights into each program, please explore the Microsoft Bug Bounty Programs website.

Updates on Rewards

Parallel to the evolution of the security landscape and Microsoft’s attack perimeter, the Microsoft Rewards Program also evolves. Whether expanding scope to encompass new Microsoft products and services or aligning research objectives to guard against malicious actors and innovative attack methods, the Microsoft Rewards Program continuously adapts with program optimizations.

In the previous year, the program publicly introduced the following enhancements:

• Microsoft AI Rewards Program

• Extension of the Microsoft Identity Rewards Program scope to include authenticator applications

• Expansion of Microsoft 365 Insider Program scope to include Microsoft OneNote, offering an award for an unauthenticated, non-sandboxed code execution scenario with no user interaction, and security feature bypasses

• Launch of the Microsoft Defender Rewards Program

• Dataverse Integrations Research Grant focusing on cross-tenant information disclosure and elevation of privilege vulnerabilities

• Secure Boot limited-time bounty award under the Windows Rewards Program

• Dataverse Integrations Research Grant targeting cross-tenant information disclosure and elevation of privilege vulnerabilities

Rewards and Recognitions

Monetary rewards are assigned based on the severity and security impact of the bug, along with the accuracy and completeness of the report. These awards are also aligned with the areas that hold utmost significance for our customers, aiming to encourage research in these critical domains.

In the forthcoming year, we are dedicated to enhancing our programs based on your feedback. We extend our gratitude to the global security research community for their continued collaboration and for imparting their expertise to safeguard millions of Microsoft customers.

We eagerly anticipate strengthening our existing partnerships and fostering new relations with the global research community.

Remain Secure and Happy Exploring!

Madeline Eckert, Bruce Robinson, and Lynn Miyashita

Microsoft Rewards Team