Microsoft has confirmed that during the past 12 months it paid hackers a total of $13.7 million (£10.4 million) which is three times as much as it did the year before.
So, why is Microsoft paying hackers at all? It’s a good question, and the answer is simple: to help safeguard users of Microsoft products and services.
Like every vendor or service provider who takes security seriously, Microsoft has a bug bounty program that encourages “white hat” hackers to find and disclose flaws that could open a window to attackers.
These security researchers report the bugs they find to Microsoft, through a process of coordinated vulnerability disclosure, and depending on the product together with the nature and criticality of the vulnerability, get paid out.
During the past 12 months, Microsoft said that across all of its 15 bounty programs, it had seen a higher than average report volume during the first months of the pandemic. Launching six new bounty programs, 1,226 eligible reports in total were filed by 327 hackers.
The $13.7 million paid out by Microsoft dwarves the $4.4 million (£3.3 million) it paid during the same period for the previous 12 months. This doesn’t mean there are more security problems with Microsoft products than ever.
Instead, more researchers are doing a better job of finding and disclosing them, encouraged by the emergence of new bounty programs.
The biggest single reward paid was $200,000 (£153,000), although the biggest Microsoft bounty on offer is $250,000 (£190,000) for finding critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V.
Microsoft has thanked all those who shared their research, saying that “millions of customers, and the broader ecosystem, are more secure thanks to their efforts.”
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at [email protected] if you have a story to reveal or research to share.