Microsoft has paid a hefty sum of $13.7 million to the security researchers for reporting bugs in the its products since last year

Microsoft has always taken security issues very seriously. Sometimes their system updates are not regular, but their security systems are always up and about as several third-party analysts have revealed the performance of Microsoft Security systems in their reports. This has further been proved by the latest revelation made by Microsoft. Since last July, the company has spent a whopping $13.7 million to the security researchers for reporting bugs and malware in the Microsoft software.

Microsoft has 15 bug-bounty programs, which give financial rewards to the security researchers who devote their time and energies to unveil any flaws in the software, and then for reporting those flaws immediately to the concerned vendors, rather than selling them off to cyber-criminals through underground markets or exploit the brokers who distribute this software to the government agencies.

For all their efforts, Microsoft’s Security Response Center is not only grateful, they highly respect these security researchers and because of them having such high regard, Microsoft does not hesitate to pay them off with bug-bounty reward programs. Since July 2019 till June 2020, Microsoft has spent $13.7 million on these bug-bounty programs. This figure has tripled from $4.4 million last year only.

On the other hand, Google spent around $6.5 million on its awards for security flaws in its software. So, Microsoft is clearly spending a lot more than Google.

According to Microsoft, their recent higher payouts in 2020 is owing to the launch of six new bounty programs and two new research grants. These incentives alone attracted more than 1000 eligible reports from around 300 security researchers.

Microsoft also says that their security research had to increase amidst the COVID-19 pandemic because as per Google Project Zero or GPZ’s latest report, the months when the world was battling a crucial pandemic, 11 zero-day vulnerabilities were exploited in the wild, and Microsoft had to patch 115 vulnerabilities in March alone. The discovery of these vulnerabilities was rare and could only be made possible because of the security researchers working day in and day out to make the software flawless. So, this justifies Microsoft’s high payouts for security purposes.

Besides, Microsoft software had made up four of the 11 exploits that Google discovered that were being used in the wild in 2020.


Several other Microsoft flaws included the bug in Internet Explorer, CVE-2020-0674, that Microsoft had to patch in February. Apart from this, three more Windows memory-corruption bugs were exploited before Microsoft's patches released in 2020.

The bounties that Microsoft launched during the period include Microsoft Dynamics 365 Bounty Program, Azure Security Lab, Microsoft Edge on Chromium Bounty Program, Election Guard Bounty Program, Xbox Bounty Program, and Azure Sphere Security Research Challenge.

Flaws that are reported to Microsoft and other relevant vendors through these bug bounties can help in reducing the zero-day exploits that attackers can use and compromise the systems. Vendors supply security patches to the users once these flaws become known and vulnerability gets disclosed.



Read next: Microsoft Now Offers Up To $100,000 Reward to Security Researchers for Finding Bugs in the Windows Insider Preview

No comments:

Post a Comment