Microsoft has launched yet another of its bounty programs that encourages security researchers to find bugs and issues in its software products with the possibility of getting awarded some big money. This time the bounty program is, ironically, designed to help find issues in the Microsoft Defender lineup of security products.
In a blog post, Microsoft stated:
The Microsoft Defender brand encompasses a variety of products and services designed to enhance the security of the Microsoft customer experience. The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team. The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs, and will expand to include other products in the Defender brand over time.
The company revealed more details on the bounty program on its own dedicated page. Among other things it goes over the criteria that security researchers must go over to be eligible to win a bug bounty prize:
- Identify a vulnerability in listed in-scope Defender products that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be Critical or Important severity and reproducible on the latest, fully patched version of the product or service.
- Include clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
The actual financial bounty rewards will be given out for bugs related to tampering, spoofing, information disclosure, and elevation of privilege. The prices for successfully finding a Microsoft Defender bug in those areas will range from $500 to $8,000, depending on the level of severity.
However, the biggest bounty amounts are for researchers who find issues in Defender related to Remote Code Execution. The rewards for that category will range from $5,000 all the way to $20,000.
In October, Microsoft announced a bounty program to help find bugs related to its Bing AI services with up to $15,000 in rewards.