Microsoft launches Defender Bounty Program to find bugs in its security software

Microsoft has added yet another bug bounty program to its growing portfolio. With the launch of the Microsoft Defender Bounty Program, the company is offering financial rewards to researchers who “uncover significant vulnerabilities” in its range of security products and services.

The program is focused solely on vulnerabilities of Critical or Important severity, and Microsoft is putting up rewards of between $500 to $20,000 for eligible submissions. Starting off somewhat limited in focus, the aim is to open up the program to have a wider scope further down the line.

See also:

The initial focus of the Microsoft Defender Bounty Program is Microsoft Defender for Endpoint APIs, and the company says that it is interested in “significant vulnerabilities that have a direct and demonstrable impact on the security of our customers”.

The list of vulnerabilities that will be considered for rewards is fairly short: Remote Code Execution, Elevation of Privilege, Information Disclosure, Spoofing, and Tampering. And although a range of possible awards has been set out, Microsoft says:

Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission.  Eligible submissions will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program to earn swag and a place on the Microsoft Most Valuable Researcher list.

Full details of the Microsoft Defender Bounty Program are available here.

Image credit: Sabelskaya / depositphotos