In brief: Microsoft over the past 12 months has paid out $13.6 million in bug bounty awards to 341 security researchers in nearly 60 countries around the world. That’s down ever so slightly from last year’s numbers, despite Microsoft adding two new programs to the mix.
In its year in review, Microsoft said the average amount per award across all programs was more than $10,000. The largest single award was $200,000, under the Hyper-V Bounty Program, which spans three types of vulnerabilities: remote code execution, information disclosure and denial of service. That program’s description notes that the highest possible award is $250,000, so it seems nobody hit the jackpot over the past year.
In total, Microsoft received 1,261 eligible vulnerability reports during the 12-month period across its 17 different bounty programs.
Interestingly enough, this year’s stats are very similar to last year’s. In the previous year-long period, Microsoft awarded a total of $13.7 million to 327 researchers spanning 1,226 eligible reports. Just like this past year, the biggest single award was $200,000.
Since last year’s report, Microsoft has added two new bug bounty and research programs. The Microsoft Applications Bounty Program (Teams Desktop) launched in March 2021 followed by the SIKE Cryptographic Challenge which arrived just last month. The Windows Insider Preview Bounty Program, meanwhile, was updated in July 2020 and the Research Recognition Program was updated this past February.