Microsoft today announced that it is expanding its bug bounty program to now include any flaw impacting its services, regardless of whether the code was written by Microsoft or not:
In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit. The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers.
Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.
Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit. Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.
We call this approach In Scope by Default. It gives clarity to researchers and ensures that we incentivize responsible research wherever our customers may be impacted. Historically, our bounty program has had a defined scope for each eligible product or service. Our new approach expands the program to include all online services by default. It also means new services will be in scope as soon as they are released.
Martin Jartelius, AI Product Director at Outpost24 had this to say:
“For organizations that rely on bug bounty programs to keep themselves and their customers secure, this is an important step, as it focuses on the full attack surface of an organization. A very common mistake in security is the careless use of scope, or rather de-scoping, of what is included. As Mr. Gallagher notes, attackers do not care whether they gain access through ReactToShell or a novel vulnerability in Microsoft components. Microsoft will likely find itself paying out more bounties for a while, but the resulting security improvements will ultimately be a cost-efficient way to strengthen the organization’s overall security posture.”
This is a very good move by Microsoft as supply chain attacks are far more pervasive than they should be. Hopefully other vendors do something similar as this will make us all safer.
Like this:
Like Loading...
Related
This entry was posted on December 11, 2025 at 12:09 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft bounty program now includes any flaw impacting its services
Microsoft today announced that it is expanding its bug bounty program to now include any flaw impacting its services, regardless of whether the code was written by Microsoft or not:
In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit. The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers.
Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.
Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit. Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.
We call this approach In Scope by Default. It gives clarity to researchers and ensures that we incentivize responsible research wherever our customers may be impacted. Historically, our bounty program has had a defined scope for each eligible product or service. Our new approach expands the program to include all online services by default. It also means new services will be in scope as soon as they are released.
Martin Jartelius, AI Product Director at Outpost24 had this to say:
“For organizations that rely on bug bounty programs to keep themselves and their customers secure, this is an important step, as it focuses on the full attack surface of an organization. A very common mistake in security is the careless use of scope, or rather de-scoping, of what is included. As Mr. Gallagher notes, attackers do not care whether they gain access through ReactToShell or a novel vulnerability in Microsoft components. Microsoft will likely find itself paying out more bounties for a while, but the resulting security improvements will ultimately be a cost-efficient way to strengthen the organization’s overall security posture.”
This is a very good move by Microsoft as supply chain attacks are far more pervasive than they should be. Hopefully other vendors do something similar as this will make us all safer.
Share this:
Like this:
Related
This entry was posted on December 11, 2025 at 12:09 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.