Bug bounty programs are something that almost every major (and many minor) companies have in place. Encouraging black hats and grey hats to act as white hats, a bug bounty program offers a reward (typically cash or sometimes other prizes) to a hacker for finding vulnerabilities within their website/service/product and disclosing it to the company.
This is opposed to a hacker finding the vulnerability and then exploiting it themselves or selling it on the black market. By having a system in place, the company itself benefits by detracting hackers from exploiting their services, as well as having the luxury of a more secure system after the vulnerability is reported and patched.
Microsoft's bug bounty program has been in place for some time but this week they have announced that they are expanding and improving the rewards if you report a problem. Starting today, the top reward for reporting a vulnerability to Microsoft can reach as high as a $100,000, previously the ceiling was capped at $50,000.
In addition to raising the prize size, they are also extending the authentication vulnerabilities bonus period until October 5, 2015; the company will pay double the normal payout during this time period.
Even though $100,000 sounds like a lot of money for reporting a bug, by using these programs, Microsoft can save quite a bit of cash because if a serious vulnerability is exploited instead of reported, it can cost the company many times more than the bug bounty. In addition, any time there is a serious security vulnerability, it impacts upon the reputation of the company.
If you want to learn more about the new program, you can check out the company's blog post here.
5 Comments - Add comment