Skip to main content

Microsoft Bounty Programs

MS Bounty Programs Shield

Call out to all Microsoft friends, hackers, researchers! Want to help us protect customers, making some of our most popular products better? And earn money doing so? Step right up

Microsoft is now offering direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.

Microsoft has championed many initiatives to advance security and to help protect our customers, including the Security Development Lifecycle (SDL) process to build more secure technologies and Coordinated Vulnerability Disclosure (CVD). We formed industry collaboration programs such as the Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR),and created the BlueHat Prize to encourage research into defensive technologies. Our new bounty programs add expanded depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.

In November 2013, Microsoft initiated the Mitigation Bypass Bounty and the Bounty for Defense. We continued expanding our bounty programs and in September 2014 announced the Online Services Bug Bounty program.

On 22nd April 2015, Microsoft announced an extension to the Online Services Bug Bounty program to include various Microsoft Azure properties. We also announced a new Microsoft Edge Preview Bug Bounty program.

On 20th October 2015, we added .NET core runtime and the public technical preview of ASP.NET.

  1. CoreCLR and ASP.NET 5 Technical Preview Bug Bounty
    Start Date: 20th October 2015
    End Date: 20th Jan 2016
    Timeframe: Ongoing

    Microsoft is launching a bounty program to reward security researchers in their effort to helping us make .NET more secure. The program is strictly applicable to .NET core runtime, called CoreCLR and the beta versions of ASP.NET. Qualified submissions are eligible for payment from a minimum of $500 USD up to $15,000 USD.

  2. Online Services Bug Bounty
    Start Date: 23rd September 2014
    Microsoft Azure services additions: 22nd April 2015
    Timeframe: Ongoing

    The Online Services Bug Bounty program gives individuals across the globe the opportunity to submit vulnerability reports on eligible Online Services (O365 and Microsoft Azure) provided by Microsoft. Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure. Qualified submissions are eligible for payment from a minimum of $500 USD up to $15,000 USD.

  3. Mitigation Bypass Bounty
    Start Date: 26th June 2013
    Timeframe: Ongoing

    Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system. Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would.

  4. Bounty for Defense
    Start Date: 26th June 2013
    Timeframe: Ongoing

    Additionally, Microsoft will pay up to $100,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide (in conjunction with the Mitigation Bypass Bounty).

Closed Programs

  1. Microsoft Edge Technical Preview Bug Bounty
    Timeframe: 22nd April 2015 to 22nd June 2015

    Microsoft will pay up to $15,000 USD for critical and important vulnerabilities that affect Project Spartan (latest browser in Windows Technical Preview). The program is intended to incent security researchers to report vulnerabilities to Microsoft during the Technical Preview period rather than after general use product to minimize customer impact. This program is time bound and will run from 22nd April to 22nd June 2015.

  2. Internet Explorer 11 Preview Bug Bounty
    Timeframe: 26th June to 26th July, 2013

    Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows. The entry period for this program will be the first 30 days of the Internet Explorer 11 beta period (26th June to 26th July 2013). Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure.

Happy Hunting,

Microsoft Security Response Center