Microsoft at this time introduced it has paid out $13.7 million in bug bounties to 327 safety researchers prior to now yr. The determine is greater than 3 times the $4.Four million that Microsoft awarded over the identical interval final yr, exhibiting that the corporate is more and more placing its cash the place its mouth is with respect to exterior safety researchers. The single largest bug bounty awarded was $200,000.
So, why the elevated payouts? Microsoft famous that it launched six new bug bounty applications and two new analysis grants this yr. And after all, the corporate pointed to the coronavirus pandemic as a doable accelerator: “In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic.”
Bug bounty applications inspire people and hacker teams to not solely discover flaws however disclose them correctly, as an alternative of utilizing them maliciously or promoting them to events that can. Rewarding safety researchers with bounties prices a enterprise peanuts in comparison with paying for a critical safety snafu.
Over the previous 12 months, Microsoft obtained 1,226 eligible vulnerability reviews throughout its 15 bug bounty applications. But the $13.7 million is the standout quantity — that’s an enormous bug bounty quantity to spend in a single yr. Google, which is well-known for its bug bounty applications, has paid $21 million over 9 years — the corporate began paying bug bounties in November 2010.
For no matter motive, Microsoft is refusing to reveal how a lot it has paid out to this point. “Our Bug Bounty program started seven years ago with a goal to further protect our billions of customers as security threats have continued to evolve,” Microsoft Security Response Center senior program supervisor Jarek Stanley advised VentureBeat. “We can’t disclose the exact number payout since the start of the award program.”
At first look, August would possibly look like an odd time to share an replace in your bug bounty program. But the timing is not any coincidence: The Black Hat USA 2020 safety convention kicks off tomorrow. Microsoft is championing its holistic method to buyer safety, which incorporates the broader safety neighborhood participating in its bug bounties.
“Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce,” Microsoft wrote at this time. “The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude.”