This is the Trace Id: 49b61e10eb2075bda9421a1129933eac
Skip to main content
MSRC

Evolving our approach to coordinated security research: In scope by default

MSRC
/ By Tom Gallagher, VP Engineering, Microsoft Security Response Center /

Today at Black Hat Europe, I raised our commitment to customer security through our partnerships with the security research community.  

In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit. The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers.  

Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components. 

Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit.  Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.  

We call this approach In Scope by Default. It gives clarity to researchers and ensures that we incentivize responsible research wherever our customers may be impacted. Historically, our bounty program has had a defined scope for each eligible product or service. Our new approach expands the program to include all online services by default. It also means new services will be in scope as soon as they are released. 

Last year, through our bug bounty program and live-hacking event, Zero Day Quest, we awarded more than $17 million for high-impact security research. The changes we are making today will expand award eligibility, especially for these key areas: 

  • Microsoft-owned domains and cloud services: Security researchers don’t have our insider perspective and are uniquely placed to think like an attacker. By working with us and following our rules of engagement, we can implement mitigations and protections that continually raise the bar against malicious attacks, adding an additional layer of security for our customers.  

  • Third-party code, including open source: If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know. If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.  

As Microsoft and the security community work together, we follow the Rules of Engagement for Responsible Security Research to ensure customer data and privacy is protected. We expect researchers to understand these guidelines before they begin. They can then submit their findings for assessment and coordinated disclosure.    

Keeping our customers secure is our top priority. Our partnerships with the security community are one piece of our broad strategy to ensure security comes first in everything we do. You can read more about the work we are doing across the company in our latest Secure Future Initiative report

Tom Gallagher, VP Engineering, MSRC