Microsoft is allegedly making mammoth reductions to its bug bounty monetary rewards, according to accusations from several security researchers. The Redmond giant has apparently slashed the reward for some of these by ten times or 90%.
For example, last year Marcus Hutchins (aka MalwareTech on Twitter) said that one of his Zero-day findings' bug bounty reward value was reduced to $1,000 which was $10,000 earlier.
Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000
Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀— MalwareTech (@MalwareTechBlog) July 27, 2020
Some others too have echoed similar sentiments. For example, recently a Hyper-V researcher and Twitter user @rthhh17 stated that Microsoft's reward program thought his Hyper-V remote code execution (RCE) vulnerability was only worth $5,000. From his tweet, it seems the reward was reduced from possibly a much higher amount during the research process. We get back to this at the end of the article.
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair!
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair! @msftsecresponse— rthhh (@rthhh17) November 9, 2021
And finally, the most recent example is of Windows security researcher Abdelhamid Naceri, who reportedly told BleepingComputer that he disclosed a new Zero-day bug publicly out of sheer frustration.
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.
"Microsoft bounties has been trashed since April 2020, I really wouldn't do that if MSFT didn't take the decision to downgrade those bounties," explained Naceri.
Microsoft lists the following rewards (click on images below to enlarge) on its "Microsoft Bug Bounty Program" page:
Interestingly, while Hyper-V researcher @rthhh alleges that his RCE vulnerability finding was deemed worthy of a $5,000 reward, Microsoft's website states that such an entry is worthy of "Up to $250,000" of bounty (image in the middle above). This would mean a reduction of 80% of the bounty reward under the worst-case scenario when viewed from the researcher's perspective.