Microsoft awarded $13.6 million in bug bounties over the last 12 months

Over 340 security researchers from 58 countries reported a total of 1,261 valid vulnerabilities between 2020-2021

Microsoft has said it awarded over $13.6 million (£9.87 million) in rewards to security researchers participating in its public bug bounty programmes over the last 12 months.

Between 1 July 2020 and 30 June 2021, over 340 security researchers from across 58 countries participated in the tech giant’s 17 software bug hunts, reporting a total of 1,261 valid vulnerabilities.

The number of participating researchers grew by at least a dozen since the same period last year, when Microsoft awarded $13.7 million to 327 security researchers. Since then, the tech giant has added two more bug bounty programmes, including one for its Teams desktop client with potential rewards of up to $30,000, and saw the number of vulnerability reports increase by 35.

However, despite the reward amount tripling between 2019 and 2020, 2021 saw a slight decrease, of around $100,000.

Over the last 12 months, the highest number of bug reports were submitted from security researchers based in China, the US, Israel, and India. Although the average reward was over $10,000 (£7,260), the largest payout – $200,000 (£145,000) – was awarded for a vulnerability reported in Microsoft’s OS virtualisation technology, Hyper-V, under the Hyper-V Bounty Programme.

Microsoft Security Response Center members Jarek Stanley, Lynn Miyashita, and Madeline Eckert thanked “everyone who shared their research with Microsoft this year and for their partnership in securing millions of customers”, in a statement on the company’s blog.

Related Resource

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

The Forrester Wave: Top security analytics platforms - whitepaper from IBMFree download

“We’re constantly evaluating the threat landscape to evolve our programmes and listening to feedback from researchers to help make it easier to share their research. This year, we introduced new challenges and scenarios to award research focused on the highest impact to customer security.

"These focus areas helped us not only discover and fix risks to customer privacy and security, but also offer researchers top awards for their high-impact work,” they said, adding that the Microsoft Security Response Center will share “more bounty programme updates and improvements in the coming year”.

The title of the Most Valuable Security Researcher 2021 is to be announced in August.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021
Microsoft brings passwordless security to consumer accounts
Microsoft Windows

Microsoft brings passwordless security to consumer accounts

16 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021