It is a good news if you are bug hunter as Microsoft has announced further extension of its Security Bounty Programs. In an effort to woo bug finders, the Company is doubling bounty amount for defence, launching authentication bonus and adding RemoteApp to the list of domains covered in the Online Services Bug Bounty.
Most software companies uses the Bug Bounty program to detect vulnerabilities in the application. Microsoft has just ensured that bug hunters have enough reasons to work day and night in finding vulnerabilities in its domains like Defense Maximum, Microsoft Account (MSA) and Azure Active Directory (AAD).
Making the announcement, MSRC team said,
“We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD. I am also very excited to announce that we are launching a bonus period for Authentication vulnerabilities in the Online Services Bug Bounty. We will be running an onsite contest at Black Hat in Las Vegas, August 5-6, related to this effort. Lastly, we are adding RemoteApp to the list of domains covered in the Online Services Bug Bounty”.
The new approach of Microsoft’s Bug Bounty system includes :
- Vulnerabilities certification will obtain double bounty payouts
- Vulnerabilities Bonus will be from August 5, 2015 – October 5, 2015 which includes Microsoft Account (MSA) and Azure Active Directory (AAD)
- During this period all payouts will get twice the normal payout
- One can show their 1337 skills at MSA contest which will held in Black Hat and can win an Xbox One, Surface 3, or one year of full MSDN access
- RemoteApp is being added as a new property of the Online Services Bug Bounty Program and all of the terms and payout rules will be same as earlier. Also, it will let users run Windows apps hosted in Azure anywhere, and on a various devices
- Also anyone can visit the Microsoft Networking Lounge on August 5 and 6 which is located in Mandalay Bay to participate and review full rules
The latest expansion and increase in rewards would certainly help Microsoft to improve its offerings. The actual result though depends on the feedback from the security research community.