Skip to main content

Microsoft Bounty Programs

MS Bounty Programs Shield

Friends, hackers, researchers! Want to help us protect customers, making some of our most popular products better? And earn money doing so? Step right up…

Microsoft is now offering direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.

Microsoft has championed many initiatives to advance security and to help protect our customers, including Coordinated Vulnerability Disclosure (CVD), industry collaboration programs such as Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR), and created the BlueHat Prize to encourage research into defensive technologies. Our new bounty programs add expanded depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.

Microsoft has expanded the pool of our Bounty programs to include the following ongoing programs:

  1. Online Services Bug Bounty
    TIMEFRAME: Started on September 23, 2014

    The Online Services Bounty gives individuals across the globe an opportunity to submit vulnerability reports on eligible Online Services provided by Microsoft. Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure. Qualified submissions are eligible for payment from a minimum of $500 USD.

  2. Mitigation Bypass
    TIMEFRAME: Started on June 26, 2013

    Microsoft has expanded the participant pool for the Mitigation Bypass Bounty program. Participants can now include responders, other individuals and organizations who turn in novel mitigation bypass techniques that they see used in attacks in the wild. Microsoft will pay up to $100,000 USD for these novel exploitation techniques against protections built into the latest version of our operating system. Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would.

  3. BlueHat Bonus for Defense
    TIMEFRAME: Started on June 26, 2013

    Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide. (In conjunction with the Mitigation Bypass Bounty).


    Internet Explorer 11 Preview Bug Bounty

    TIMEFRAME: June 26 to July 26, 2013

Microsoft paid up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows. The entry period for this program will be the first 30 days of the Internet Explorer 11 beta period (June 26 to July 26, 2013). Learning about critical vulnerabilities in Internet Explorer as early as possible during the public preview will help Microsoft make the newest version of the browser more secure.

Want to know more?

Happy Hunting!,

The BlueHat team