Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
How successful is Microsoft’s bug bounty program?
Microsoft’s bug bounty program, established to help secure products and services from attack, has been operational since 2013. In that time it has paid more than $60 million to hackers for uncovering vulnerabilities, $16.6 million in the latest reporting period alone. Which begs the question, why are there so many vulnerabilities, including the dreaded ones used in zero day exploits, coming out of the Windows woodwork.
How Hackers Get Paid To Hack Microsoft Without Breaking The Law
The security threats to users of Microsoft platforms and services, from Windows zero-days to Microsoft Account takeover attacks, have one thing in common, namely vulnerabilities. Something, somewhere, buried in the code of a product or even the flow of a service process, that can leave a way in for hackers and cybercriminals. Uncovering these vulnerabilities before they can be exploited is key to protecting users from those who would do them and their data harm. It’s why Google paid $11.8 million to hackers through its bug bounty program across 2024. And it’s what Microsoft has spent in excess of $60 million, $16.6 million the last reporting period alone, paying hackers for the exact same thing.
A March 13 posting by Tom Gallagher, vice president of engineering at the Microsoft Security Response Center, has confirmed that the discovery and rapid mitigation of security vulnerabilities is more crucial than ever before. “MSRC partners with product teams across Microsoft, as well as external security researchers,” Gallagher said, “to investigate reports of security vulnerabilities affecting Microsoft products and services.”
It is the latter, the external security researchers, the hackers in question, that are often eligible for payments as part of Microsoft’s incentivized bug bounty programs.
Microsoft follows the coordinated vulnerability disclosure principle for such hackers when responding to and mitigating security vulnerabilities. “This approach gives researchers recognition for their work,” Gallagher said, “and provides Microsoft an opportunity to address newly reported vulnerabilities before bad actors can exploit them.” Apart from when they don’t get that opportunity, and the threat actors do. And that’s where the zero-day exploits enter the equation.
When Hackers Attack Before A Vulnerability Is Disclosed
A zero day attack, as described by my friend and colleague Kate O’Flaherty, is a vulnerability that has not yet been fixed. “The term zero day stems from the fact that it’s out there and known to the vendor, and there are zero days to issue a fix,” O’Flaherty said; “It’s therefore a race against time for the vendor responsible for the operating system to issue a patch for the flaw, before attackers can get hold of the details.”
Here’s the shocking truth: not all hackers are cybercriminals, but all cybercriminal hackers are. Which means that while there are hackers who take part in bug bounty programs such as the ones operated by Google and Microsoft, there are plenty of others who will do the same kind of work to uncover a vulnerability but rather than then disclosing it to the vendor concerned in exchange for cash, will sell it to the highest bidder for a lot more money instead. State sponsored attack groups may uncover such zero day vulnerabilities themselves or, more likely, buy them from zero day brokers and pay six figures or more depending on the target involved. This is why bug bounty programs alone will never stop the zero day threat. But that doesn’t mean the money heading to hackers from Microsoft isn’t well spent, far from it. Without the good hackers finding these vulnerabilities there would be way more zero days out there, and way more harm being done as a result.
