<div id="readability-page-1"><div id="body">Microsoft is overhauling its bug bounty program to reward exploit hunters for finding vulnerabilities across all its products and services, even those without established bounty schemes.Tom Gallagher, VP of engineering at Microsoft Security Response Center (MSRC), told Black Hat Europe delegates yesterday that the company will adopt what it calls an &#34;in scope by default&#34; approach.Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services. &#34;Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue,&#34; Gallagher said. &#34;Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit.&#34; The same class of vulnerability, and its severity, will attract the same monetary award in a third-party codebase as it would if it were found in one of Microsoft's products, he told The Register.&#34;Where no bounty programs exist, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.&#34; The move represents a shift in MSRC's bug bounties, which in the past have been prescriptive in terms of what type of bug warrants an award, and what products or services are eligible.Gallagher said this &#34;in scope by default&#34; approach means that even new products and services are covered by bug bounties, including those without a dedicated program assigned to them at launch.&#34;The shift to an 'in scope by default' bounty model aims to strengthen our security posture amid an evolving threat landscape, especially across cloud and AI.&#34;Microsoft says it paid more than $17 million in awards to researchers last year through its bug bounty program and Zero Day Quest competition, and expects to increase spending.Belatedly, Microsoft launched its bug bounty program in 2013 after rejecting pressure to start one for years – a process head bounty lobbyist Katie Moussouris described as being like &#34;boiling a frog.&#34; While many researchers have financially benefited from Microsoft's bug bounty program since then, common gripes reported by those who aren't so lucky include slow response times and questionable triage conclusions.Some frustrated experts have also gone to great lengths to make their feelings about the submission process known to MSRC. ® </div></div>

MSFL

MSFO

MSFD

MSFU

MSFX

MSFY

Microsoft is revamping its bug bounty program to reward researchers for finding vulnerabilities across all products, even without established bounty schemes. The new "in scope by default" approach will incentivize research on high-risk areas, offering monetary awards for critical vulnerabilities impacting Microsoft's services, regardless of code ownership. This shift aims to enhance security amid evolving threats, with increased spending expected beyond the $17 million awarded last year.

Microsoft promises more bug payouts, with or without a bounty program