Microsoft Offers $250,000 For Security Flaws In Expanded Windows Bug Bounty Program

Roland Moore-Colyer,
hp

Big rewards are on offer for people who spot flaws in Windows 10

Microsoft is offering up to $250,000 (£190,275) for bugs spotted and reported in its software as part of an expansion of its Windows Bounty Program. 

The top money reward is for bugs discovered in Microsoft’s Hyper-V virtualisation software, but more modest rewards start at $500 (£382) for critical or important remote code execution flaws found in Windows. 

Bugs identified in Microsoft’s Edge browser or its Windows 10 preview builds will fetch keen eyed flaw spotters up to $15,000 (£11,400). 

Bug hunting 

fotolia: Glass focused on virus in digital code © pixel_dreams #38396957Even if Microsoft’s internal engineers and security staff spot a flaw before anyone else, the reward for spotting the bug will still go to the first person outside the company to report it, however it will only be 10 percent of the maximum reward on offer. 

Even if Microsoft’s internal engineers and security staff spot a flaw before anyone else, the reward for spotting the bug will still go to the first person outside the company to report it, however it will only be 10 percent of the maximum reward on offer. 

This approach and the offer of hefty reward money is likely being adopted to encourage people to report the bug to Microsoft rather than try and sell it on to cyber criminal who can exploit it for attacks such as the WannaCry ransomware campaign. 

“Security is always changing and we prioritise different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities,” the company explained. 

Bug bounties offer ways for IT experts and people who enjoy digging around in software a means to make some serious money for their efforts. Facebook and other technology companies recently donated more than £200,000 to an open source bug bounty programme

While cyber security firm Kaspersky also runs its own bug bounty programme, offering rewards of nearly £4,000 for the spotting of remote code execution bugs. 

Clearly, technology firms are willing to pay good money to keep independent cyber security researchers and code probers on their side rather than leave them to be attracted to the nefarious world of exploit selling and trading. 

Are you a cyber security expert? Try our quiz!