Microsoft Bounty Program
Get paid to find bugs
Bounty logo
Calling all Microsoft friends, hackers, and researchers! Do you want to help us protect customers, making some of our most popular products better… and earn money doing so? Step right up!
Microsoft offers direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques. To see full bounty terms, go here.
Microsoft has championed many initiatives to advance security and to help protect our customers, including the Security Development Lifecycle (SDL) process and Coordinated Vulnerability Disclosure (CVD). We formed industry collaboration programs such as the Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR), and created the BlueHat Prize to encourage research into defensive technologies. Since June 2013, we have also offered bounties for certain classes of vulnerabilities reported to us. These bounty programs help Microsoft harness the collective intelligence and capabilities of security researchers to help protect customers. Some bounty offerings are time limited so please refer to the table below for complete information on each program.
Take a look at the active programs below and review the program details at each link. If you have a vulnerability that might be a match for one of our bounty programs, please contact us at secure@microsoft.com with details.
Happy Hunting!
Microsoft Security Response Center
|
2018-7-17
|
Ongoing
|
Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.
|
Up to $100,000 USD
|
|
|
2018-03-14
|
2018-12-31
|
A novel category or exploit method for a Speculative Execution Side Channel vulnerability
|
Up to $250,000 USD
|
|
|
2017-07-26
|
Ongoing
|
Critical and important vulnerabilities in Windows Insider Preview
|
Up to $15,000 USD
|
|
|
2017-07-26
|
Ongoing
|
Critical vulnerabilities in Windows Defender Application Guard
|
Up to $30,000 USD
|
|
|
2017-05 -31
|
Ongoing
|
Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V
|
Up to $250,000 USD
|
|
|
2016-08-04
|
Ongoing |
Critical remote code execution and design issues in Microsoft Edge in Windows Insider Preview fast
|
Up to $15,000 USD
|
|
|
2013-06-26
|
Ongoing
|
Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission.
|
Up to $100,000 USD (plus up to an additional $100,000)
|
|
|
2017-03-15
|
Ongoing |
Vulnerabilities on Office Insider
|
Up to $15,000 USD
|
|
|
2016-09-01
|
Ongoing
|
Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)
|
Up to $15,000 USD
|
|
|
2014-09-23
|
Ongoing |
Vulnerability reports on applicable Microsoft cloud services
|
Up to $15,000 USD
|