The Microsoft Bounty Program is being overhauled now that they’ve seen the growth in the program, awarding researchers over $2m in 2018 alone. HackerOne will be taking over the payment-processing part the bug bounty program and they are promising that the partnership will mean faster bounty payments and more payment options (PayPal, crypto currency and direct bank transfers).
Now that The Redmond tech giant has handed off the program, Microsoft is going to be much more involved. Microsoft will now be retaining control over all other aspects of the program, such as receiving reports, triaging bugs, and determine the value of the payouts. The Microsoft Security Response Center is advising researchers strictly not to send bug reports about Microsoft products to HackerOne. This violates the bug-bounty program and prevents researchers from sharing bug details with third parties.
Another change is more on the generous side as external researchers are reporting duplicate bugs that Microsoft is already aware of, they will no longer only receive 10 percent of the normal reward. Now the first researcher who reports a duplicate that’s already known will get the full bounty reward. The policy will remain the same for external parties where the bounty is already granted.
Lastly, Microsoft will be increasing the scope of existing programs. The payouts will increase substantially as of January the top payout for the Windows Insider Preview program is at $50,000, up from $15,000. The Microsoft Cloud bounty not tops at $20,000, up from $15,000. These programs have gradually been increasing but the milestone of $2m still places it behind Google’s bug bounty programs, which resulted in payments to researchers of $3.4m in the same year.