Microsoft Partners with HackerOne to Enhance Bug Bounties
Security researchers will benefit from increased bounties, faster payment times and will be able to access their rewards as soon as vulnerabilities have been reproduced and assessed.
Microsoft is partnering with hacker community HackerOne to enhance its bug bounty programme. The partnership will speed up payment times for security researchers and ethical hackers who uncover flaws in Microsoft’s Cloud, Windows and Asure DevOps environments.
Bounty hunters will be able to receive payments via PayPal, with direct bank account payments available in more than 30 countries globally.
In a blog post published last week, Microsoft senior program manager, Jarek Stanley, said: “Microsoft is committed to enhancing our Bounty Programs and strengthening our partnership with the security research community, and I look forward to sharing more updates and improvements in the coming months.”
While the tie-up will boost payment times, using HackerOne means that those identifying pesky vulnerabilities will be able to split their bounty or donate rewards to charities. In 2018, Microsoft awarded more than $2 million (£1.53 million) from its bounty programmes, which play a crucial role in helping the company to fine-tune and improve products and services.
Under the new framework, bounties will also increase. In January of this year, Microsft raised its top award levels from $15,000 (£11,446) to $50,000 (£38,154) for the Windows Insider Preview bounty.
Those who find bugs in Microsoft’s Cloud Bounty programme – which includes Azure, O365, and other online services – can also receive up to $20,000 (£15,262) if successful.
The firm said it will continue to expand the scope and rewards framework across its programmes throughout 2019 and will offer regular updates on bounty programme announcements via its social media accounts.
Security researchers will also be paid as soon as a vulnerability has been reproduced and assessed as part of the tie-up, whereas previously people would have to wait until a fix had been developed.
New policies for duplicates have also been introduced. If an external party discovers a vulnerability that is already known to Microsoft – which has been identified by an internal team – then the individual submitting the flaw will receive the full bounty amount.
Previously, this would involve an individual only receiving 10% of the eligibility. The firm added that Microsoft bounty awards processed through Hackerone will contribute to a person(s) overall reputation score on the HackerOne platform.