Microsoft today announced it has paid out $13.7 million in bug bounties to 327 security researchers in the past year. The figure is more than three times the $4.4 million that Microsoft awarded over the same period last year, showing that the company is increasingly putting its money where its mouth is with respect to external security researchers. The single biggest bug bounty awarded was $200,000.
So, why the increased payouts? Microsoft noted that it launched six new bug bounty programs and two new research grants this year. And of course, the company pointed to the coronavirus pandemic as a possible accelerator: “In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic.”
Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs a business peanuts compared to paying for a serious security snafu.
Over the past 12 months, Microsoft received 1,226 eligible vulnerability reports across its 15 bug bounty programs. But the $13.7 million is the standout number — that’s a huge bug bounty amount to spend in one year. Google, which is well known for its bug bounty programs, has paid $21 million over nine years — the company started paying bug bounties in November 2010.
For whatever reason, Microsoft is refusing to disclose how much it has paid out to date. “Our Bug Bounty program started seven years ago with a goal to further protect our billions of customers as security threats have continued to evolve,” Microsoft Security Response Center senior program manager Jarek Stanley told VentureBeat. “We can’t disclose the exact number payout since the start of the award program.”
At first glance, August might seem like an odd time to share an update on your bug bounty program. But the timing is no coincidence: The Black Hat USA 2020 security conference kicks off tomorrow. Microsoft is championing its holistic approach to customer security, which includes the wider security community engaging in its bug bounties.
“Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce,” Microsoft wrote today. “The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude.”