Microsoft accused of slashing bug bounty rewards by up to 90%, allege security researchers

Microsoft Bug Bounty for 2019-20

Microsoft is allegedly making mammoth reductions to its bug bounty monetary rewards, according to accusations from several security researchers. The Redmond giant has apparently slashed the reward for some of these by ten times or 90%.

For example, last year Marcus Hutchins (aka MalwareTech on Twitter) said that one of his Zero-day findings' bug bounty reward value was reduced to $1,000 which was $10,000 earlier.

Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000

Some others too have echoed similar sentiments. For example, recently a Hyper-V researcher and Twitter user @rthhh17 stated that Microsoft's reward program thought his Hyper-V remote code execution (RCE) vulnerability was only worth $5,000. From his tweet, it seems the reward was reduced from possibly a much higher amount during the research process. We get back to this at the end of the article.

BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair!

And finally, the most recent example is of Windows security researcher Abdelhamid Naceri, who reportedly told BleepingComputer that he disclosed a new Zero-day bug publicly out of sheer frustration.

When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.

"Microsoft bounties has been trashed since April 2020, I really wouldn't do that if MSFT didn't take the decision to downgrade those bounties," explained Naceri.

Microsoft lists the following rewards (click on images below to enlarge) on its "Microsoft Bug Bounty Program" page:

Microsoft Bug Bounty program rewards
Microsoft Bug Bounty program rewards
Microsoft Bug Bounty program rewards

Interestingly, while Hyper-V researcher @rthhh alleges that his RCE vulnerability finding was deemed worthy of a $5,000 reward, Microsoft's website states that such an entry is worthy of "Up to $250,000" of bounty (image in the middle above). This would mean a reduction of 80% of the bounty reward under the worst-case scenario when viewed from the researcher's perspective.

via BleepingComputer

Report a problem with article
OnePlus 10 Pro Render
Next Article

OnePlus 10 Pro's leaked renders feature Samsung inspired design

Windows 11 Cumulative Updates written against a blue background and a Windows 11 laptop
Previous Article

Windows 11 build 22000.348 optional update brings new Fluent 2D emoji style and more

1 Comment - Add comment

Advertisement