Over the last twelve months (July 1, 2019 to June 30, 2020), Microsoft has paid no less than $13.7 million in bounties over to security researchers who managed to find and report software vulnerabilities. This happened in the context of 15 bug bounty programs that were promoted for this purpose. These programs define the space of the research, the acceptable scope of the reports, and whether or not a snippet of proof of concept code is required as an exploit example.
Some of the products that were covered by these bounty programs include the Microsoft 365 (Cloud Services), Azure (Cloud Platform), Microsoft Edge (Web Browser), Xbox (Gaming Console), and Windows (Operating System). These are products used by millions of customers, oftentimes in critical settings, so finding flaws in them and fixing any vulnerabilities before the bad guys do it is crucially important.
In numbers, Microsoft has received thousands of eligible vulnerability reports, but not every one of them paid an equal amount to the submitter. The payout depends on the severity of the discovered flaw, how easy it would be for malicious actors to exploit, and how many customers are affected by it. For example, finding a vulnerability that results in an Outlook account compromise via remote code execution and without the need to go through any authentication could pay up to $20k.
But Microsoft isn’t only interested in fixing its own vulnerabilities, but the security gaps in products that are often found working side by side with its portfolio. Thus, they recently joined the Open Source Security Foundation (OpenSSF), where other tech giants like Google and IBM collaborate to find and fix critical zero-day flaws. Already, they are empowering the open source community by releasing tools that will help them detect and fix vulnerabilities much sooner.
As for COVID-19’s impact in the field, it appears that the effects of home isolation have helped in the increase of the volume of bug reports since researchers have more time to look deeper into the code of software tools and find flaws.
