Skip to main content

Hunting bugs for Microsoft could make for a seriously lucrative career

(Image credit: Shutterstock / Roman Samborskyi)

Microsoft has ramped up its bug bounty program this year, paying out millions in the last twelve months to researchers able to identify vulnerabilities in its products.

The company paid out $13.7 million in total, which represents a significant increase on the $4.4 million awarded the previous year - and is also more than double the $6.5 million paid out by Google in 2019.

According to Microsoft, 1,226 eligible vulnerability reports were filed by a total of 327 researchers, making for an average payout of $11,000 per bug and $42,000 per researcher - a handsome salary supplement.

The most lucrative Microsoft bounty claimed in the last twelve months hit $200,000, which ranks among the largest ever awarded for a single vulnerability.

Microsoft bug bounties

According to a new blog post from Microsoft Security Response Center, the firm now operates 15 bug bounty schemes in total, having redoubled its focus on the program in recent months.

Within the last year, Microsoft has launched six new bounty programs, attached to products including Azure, Edge, Dynamics 365, Xbox and more.

The company also updated two security research programs and rolled out a further three, linked to the company’s Identity services and its work in the field of AI.

Across the board, Microsoft reported increased levels of researcher engagement and higher report volumes in the first half of 2020 (attributed to the coronavirus lockdown), which offers some explanation for the sharp rise in bounties claimed.

“Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce. The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our respect and gratitude,” reads the blog post.

“The security landscape is constantly changing with emerging technology and new threats. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have continued to help us secure millions of customers.”