Microsoft broadens its bug bounty program.
It now becomes eligible to compensate the discovery of flaws in dependencies. It more precisely commits to rewarding reports of critical vulnerabilities that directly affect its online services—regardless of where the implicated code originates—so long as that code is not already covered by a bug bounty.
Another development: all of Microsoft’s online services are now included by default, with no scope restrictions. This also applies to new services as soon as they are published.
These rules have been in effect since December 11, 2025. They are retroactive for 90 days.
Hyper-V vulnerabilities, potentially the most lucrative
The bug bounty program already encompassed third-party components (open-source or proprietary), as long as they were included within Microsoft services.
According to the latest updates, rewards can reach up to $100,000 for vulnerabilities affecting identity services (Microsoft account, AAD and certain OpenID implementations). It’s $60,000 for Azure; $30,000 for Copilot; $20,000 for Azure DevOps, Dynamics 365/Power Platform and the Defender for Endpoint API; $19,500 for Microsoft 365; $15,000 for .NET Core/ASP.NET Core and for certain Microsoft open-source repositories.
On the endpoints and on-premises front, payouts rise to $250,000 for Hyper-V; $100,000 for Windows Insider Preview; $30,000 for Edge; $15,000 for Microsoft 365 Insider.
In 2023 as in 2024, the total amount of rewards distributed hovered around $17 million, split each time among just under 350 researchers.
Further reading:
Microsoft 365: data theft aided by Copilot
ToolShell, this SharePoint vulnerability that developed in stages
Project Zero (Google) shifts its vulnerability disclosure policy
Roni Carta (Lupin & Holmes): “With offensive cybersecurity, our goal is to tackle software supply chain vulnerabilities”
