Microsoft Defender Bounty Program: How to sign up & win awards up to $20,000 by spotting vulnerabilities
If you're passionate about bug/vulnerability hunting, this program might be for you.
3 min. read
Updated on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Microsoft announced the introduction of the Microsoft Defender Bounty Program in the Redmond-based tech giant’s latest security blog post. The new program will reward any eligible individual who spots vulnerabilities within Microsoft products.
It is well known that Microsoft is permanently attacked by threat actors, and its products are often the subjects of cyberattacks.
For instance, earlier this year, studies have shown that over 80% of Microsoft 365 accounts were hacked in 2022, with 60% of them being successfully hacked. What’s even more worrying is the fact that another study has shown that Microsoft Teams is prone to modern malware.
With this in mind, Microsoft’s plans with the new Defender Bounty Program is to offer rewards up to $20,000 to anyone who manages to find critical vulnerabilities.
The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team. The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs, and will expand to include other products in the Defender brand over time.
Microsoft
However, before signing up, there are some points you need to be aware of, including some that ensure your submissions are eligible for the program. Follow along as we’ll reveal them all.
Microsoft Defender Bounty Program: What are the eligible submissions?
To get started and sign up to join the program, you must be an active Microsoft Defender for Endpoint tenancy, which the Redmond-based tech giant is more than happy to give a trial of 3 months here.
Taking that out of the way, Microsoft’s dedicated page of the platform includes a list of all the eligible submissions that will be rewarded. The rewards will vary depending on the severity of the vulnerability found.
Here are all the points that make a submission eligible for rewards:
- Identify a vulnerability in listed in-scope Defender products that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be Critical or Important severity and reproducible on the latest, fully patched version of the product or service.
- Include clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers with the information necessary to quickly reproduce, understand, and fix the issue.
Microsoft will also ask researchers for additional information, such as:
- Submit through the MSRC Researcher Portal.
- Indicate in the vulnerability submission which high-impact scenario (if any) your report qualifies for.
- Describe the attack vector for the vulnerability.
The rewards range from $500 to $20,000 depending on the severity of the vulnerability, but you can see all the details about them below.
| Vulnerability Type | Report Quality | Severity | |||
|---|---|---|---|---|---|
| Critical | Important | Moderate | Low | ||
| Remote Code Execution | High Medium Low | $20,000 $15,000 $10,000 | $15,000 $10,000 $5,000 | $0 | $0 |
| Elevation of Privilege | High Medium Low | $8,000 $4,000 $3,000 | $5,000 $2,000 $1,000 | $0 | $0 |
| Information Disclosure | High Medium Low | $8,000 $4,000 $3,000 | $5,000 $2,000 $1,000 | $0 | $0 |
| Spoofing | High Medium Low | N/A | $3,000 $1,200 $500 | $0 | $0 |
| Tampering | High Medium Low | N/A | $3,000 $1,200 $500 | $0 | $0 |
| Denial of Service | High/Low | Out of Scope |
If you’re interested in the new program, you can read more about it on its dedicated page, including more technical details on the nature of the eligible submissions.
