Microsoft paid a total of $2 million for security flaws as part of the company’s bug bounty programs last year, so the company is implementing a series of changes that would further refine its collaboration with security researchers across the world.
One of the changes announced today concerns the payments that Microsoft makes as part of its bounty programs, as the software giant says it wants the financial rewards to be offered faster.
Payments will now be processed by HackerOne, Microsoft says, and additional options are offered, including not only PayPal, but also crypto currency.
“Microsoft is partnering with HackerOne for bounty payment processing and support to deliver bounty awards efficiently and with more options like PayPal, crypto currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations. Additionally, Microsoft bounty awards processed through HackerOne will contribute to your overall reputation score on the HackerOne platform,” Jarek Stanley, Senior Program Manager at Microsoft, says.
There’s also an updated policy for duplicates, which concerns security vulnerabilities reported by researchers, but which were already known internally.
“The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known. There is no change to our policy regarding duplicate external reports of the same vulnerability,” the Microsoft employee further added.
What’s important to know is that despite the payments now being processed through HackerOne, vulnerability reports must be sent to Microsoft directly, and the company says researchers can submit them at firstname.lastname@example.org.
Earlier this year, Microsoft also announced increased awards for a number of vulnerabilities. For example, flaws discovered for the Windows Insider Preview bounty now start at $50,000, up from $15,000 originally, while a bug in products like Azure, Office 365, and other online services can bring you at least $20,000 as part of the bounty program.