TL;DR
Microsoft's Security Response Center says it will pay researchers for critical flaws that affect its online services regardless of whether the vulnerable code is owned by Microsoft, a third party, or open source. The company calls the policy 'in scope by default' and says it plans to increase bug bounty spending beyond the more than $17 million paid last year.
What happened
At Black Hat Europe, Tom Gallagher, VP of engineering at Microsoft Security Response Center (MSRC), announced a change to the company's bug bounty approach described as 'in scope by default.' Under this model, MSRC will reward researchers who report critical vulnerabilities that demonstrably impact Microsoft’s online services even when the vulnerable codebase is third-party or open source. Gallagher said the same vulnerability class and severity will attract the same monetary award whether the issue is found in Microsoft-owned products or elsewhere, and that the company will act to remediate such problems regardless of code ownership. The policy is intended to cover newly launched products and services that may not yet have dedicated bounty programs, and to focus researcher attention on high-risk areas, especially across cloud and AI. Microsoft reported paying more than $17 million in awards last year and expects to boost spending going forward.
Why it matters
- Expands financial incentives for researchers to hunt for high-impact bugs across third-party and open-source components that affect Microsoft services.
- Aims to reduce coverage gaps by treating new and unlisted products as eligible for payouts from day one.
- Could concentrate more attention on critical attack surfaces in cloud and AI services, areas Microsoft cited as priorities.
- Signals a shift away from prescriptive, product-by-product bounty eligibility toward a risk-focused, service-oriented model.
Key facts
- 'In scope by default' is the label MSRC is using for the new approach.
- Tom Gallagher announced the change at the Black Hat Europe conference.
- Microsoft will pay for critical vulnerabilities that have a demonstrable impact on its online services, regardless of whether the code is Microsoft-owned, third-party, or open source.
- The company says identical vulnerability classes and severities will receive equivalent monetary awards across codebases.
- The policy is intended to cover products and services that do not yet have a dedicated bounty program at launch.
- Microsoft said it paid more than $17 million in awards last year via its bug bounty program and the Zero Day Quest competition.
- MSRC indicated it expects to increase its bug bounty spending.
- Past researcher complaints include slow response times and disputed triage decisions, according to reporting in the source.
What to watch next
- How MSRC will define and measure 'demonstrable impact' for vulnerabilities — not confirmed in the source.
- Whether triage and response timelines will change under the new model to address past complaints about slow handling — not confirmed in the source.
- The specific increase in bounty budget and any program-level rules or exclusions that accompany the 'in scope by default' policy — not confirmed in the source.
Quick glossary
- Bug bounty program: A formal program in which an organization offers monetary rewards to security researchers who report software vulnerabilities responsibly.
- Zero-day: A previously unknown vulnerability that can be exploited before a vendor has issued a patch or mitigation.
- Triage: The process of assessing incoming vulnerability reports to determine severity, exploitability, and priority for remediation.
- Open source: Software whose source code is publicly available and can be inspected, modified, and distributed by anyone under its license.
Reader FAQ
Will Microsoft pay for bugs in third-party or open-source code?
Yes. MSRC says it will pay for critical vulnerabilities that have demonstrable impact on Microsoft's online services even when the code is third-party or open source.
Does the change make all vulnerabilities eligible for bounty payments?
Not confirmed in the source.
How much more will Microsoft spend on bounties going forward?
Not confirmed in the source beyond the company's statement that it expects to increase spending after paying more than $17 million last year.
When does the 'in scope by default' policy take effect?
Not confirmed in the source.
SECURITY 6 Microsoft promises more bug payouts, with or without a bounty program Critical vulnerabilities found in third-party applications eligible for award under 'in scope by default' move Connor Jones…
Sources
- Microsoft promises more bug payouts, with or without a bounty program
- Microsoft will expand bug bounties – even on programs …
- Microsoft now buys bugs, with or without a bounty program
- Microsoft promises more bug payouts, with or without a …
Related posts
- NATO: Speed and sovereign cloud capabilities are existential to defense
- Airbus to Move Mission-Critical Systems to a Sovereign European Cloud
- Europe doubles down on cutting digital ties to US cloud giants