New Microsoft Defender Bounty Program Offers up to 20K Rewards

Windows Logo

Key Takeaways:

  • Microsoft has launched the Defender Bounty Program to incentivize security researchers in discovering vulnerabilities in its security solution.
  • The Microsoft Defender Bounty Program offers rewards ranging from $500 to $20,000 based on the severity of the identified issues.
  • The program initially focuses on Microsoft Defender for Endpoint APIs, with plans to expand coverage over time.

Microsoft announced yesterday the launch of its new Defender Bounty Program. The new program is aimed at enticing security researchers to unearth new vulnerabilities in the security solution in exchange for rewards between $500 and $20,000.

The submissions must specify the severity (Critical or Important) and step-by-step instructions to reproduce the issue in the fully patched version of the product. Microsoft will assess the severity, impact, and quality of vulnerability submissions to determine the final reward amount. The highest reward will be granted to security researchers who submit high-quality reports of critical severity remote code execution flaws.

“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team. The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs, and will expand to include other products in the Defender brand over time,” the Microsoft Security Response Center team explained.

Microsoft Defender Bounty Program targets XSS, CSRF, SSRF, and other vulnerabilities

The new bounty program allows security researchers to discover various security vulnerabilities in Microsoft Defender for Endpoint APIs. The list includes Cross-site scripting (XSS), Cross-site request forgery (CSRF), Server-side request forgery (SSRF), Cross-tenant data tampering or access, Insecure direct object references, Insecure deserialization, Injection vulnerabilities, Server-side code execution, Significant security misconfiguration as well as components with known vulnerabilities.

Microsoft continuously updates its bug bounty programs in an effort to improve its services like Microsoft 365, Windows, Azure, Edge, Xbox, and more. Over the past ten years, the company has paid out $63 million in rewards to 1,117 researchers who participated in its bug bounty programs. If you’re interested, you can learn more about how to join the Microsoft Defender Bounty Program on this page.