Microsoft has expanded its bug bounty program to include critical vulnerabilities found in any of its online services, even if the flaw is in third-party or open-source code that impacts the service. This policy change was announced by Tom Gallagher, vice president of engineering at the Microsoft Security Response Center, at Black Hat Europe.

Gallagher explained that because attackers do not distinguish between code written by Microsoft and third-party components when exploiting vulnerabilities, the company was prompted to expand its program. Now, all Microsoft online services are covered by default, with new services included as soon as they are released. This expansion specifically includes security flaws in third-party dependencies, such as commercial or open-source components, as long as they have a direct impact on Microsoft’s online services.

Gallagher stated that if a critical vulnerability has a demonstrable impact on their online services, it is now eligible for a bounty award, regardless of whether the code is owned and managed by Microsoft, a third party, or is open-source. The company’s goal is to incentivize research on the highest-risk areas that threat actors are most likely to exploit. Furthermore, even where no formal bounty program exists, Microsoft commits to recognizing and rewarding the diverse insights of the security research community.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

This announcement is part of Microsoft’s broader Secure Future Initiative, which is a company-wide effort to prioritize security across all its operations. As part of this initiative, Microsoft has already taken steps such as disabling all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps, and updating Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols.

In addition to the bug bounty expansion, the Secure Future Initiative has led to other recent security enhancements. Microsoft has begun rolling out a new Teams feature to block screen capture attempts during meetings and has announced plans to secure Entra ID sign-ins from script injection attacks. These actions continue the trend of Microsoft’s commitment to security, which has seen the company pay out over $17 million in bounty awards to security researchers over the last year.

Source: Microsoft Bounty Program Now Includes Any Flaw Impacting Its Services