This page answers frequently asked questions about the Microsoft Bounty Program. Please see the Microsoft Bounty Terms for the full terms and conditions that apply to the Microsoft Bounty Program.  
|

Submit your finding to Microsoft using our  MSRC Researcher Portal, including instructions to reproduce the vulnerability, using the bug submission guidelines found here
 
Some important notes:
  • We request you follow Coordinated Vulnerability Disclosure (CVD) when reporting all vulnerabilities to Microsoft. Submissions that do not follow CVD may not be eligible for bounty and could disqualify you from participating in bounty programs in the future.
  • Microsoft will exercise reasonable efforts to clarify indecipherable or incomplete submissions, but more complete submissions are often eligible for higher bounties (see program award tables for details).
  • There are no restrictions on the number of qualified submissions an individual submitter can provide and potentially receive bounty awards for.

See blog post: What to Expect When Reporting Vulnerabilities to Microsoft 

  1. You will receive an email confirming that we have received your submission.
  2. The MSRC case managers and engineering team will review the submission, including reproducing the vulnerability and assessing the severity and security impact. The review time may vary depending on the complexity and completeness of your submission, but typically takes 2 weeks. 
  3. After your submission has been reproduced and assessed, the bounty team will review your submission for bounty award eligibility. If your submissionis eligible for a bounty award, the bounty team will contact you to share the good news and begin the award payment process. 
  4. You will be asked to complete registration with one of our award payment providers. Once registration is complete you will receive your bounty award through that provider.
  5. We will recognize most individuals who have been awarded bounties through our security researcher acknowledgements or our Online Services Security Acknowledgements.

If you have been awarded a bounty, the next step is to log into the MSRC Researcher Portal to select your preferred bounty award payment provider and accept the Microsoft Bounty Terms. Microsoft partners with HackerOne and Bugcrowd to deliver bounty awards quickly and with more award options for bounty recipients including bank transfer, Paypal, cryptocurrency, and charity donation.

 

Payment Provider Options

 

HackerOne (preferred):

  • Devliery Options: Bank transfer, Paypal, Cryptocurrency, Charity donation
  • Payment Frequency: weekly

Bugcrowd (preferred)

  • Delivery Options: Bank transfer, Paypal, Payoneer
  • Payment Frequency: weekly :

Microsoft Payment Central:

  • Delivery Option: Bank transfer
  • Payment Frequency: Payments are processed once a month. Typically takes 2 to 3 months to complete

 

Next Steps For Each Payment Provider

 

HackerOne

If you do not already have an account with HackerOne, please register at https://hackerone.com/users/sign_up and select HackerOne as your payment provider in the MSRC Researcher Portal using your email address associated with your HackerOne account.  

 

Bugcrowd 

Please select Bugcrowd as your payment provider in the MSRC Researcher Portal. Use an email already registered with Bugcrowd or provide a new email and Bugcrowd will register you as a part of the award payment process.  

 

Microsoft Payment Central (MPC)

If you are unable to use one of our bounty award payment partners, MPC is another option. Awards typically take 2 to 3 months to complete. If you choose MPC, you will receive an email from Microsoft's Payment Central (microsoft@e-mail.microsoft.com) to begin registration.

Please see the Program Eligibility section of the Microsoft Bounty Terms.

  • The products and services in scope for bounty awards and award amounts are published on the Microsoft Bounty Programs pages. 
  • Microsoft retains sole discretion in determining which submissions are qualified.
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be awarded to the first eligible submission. The other submission will be considered duplicates, and not eligible for bounty awards.
  • If Microsoft is aware of the issue internally but has not yet released a fix, the first eligible external submission is still eligible for award. 
  • If a duplicate report provides new information that was previously unknown to Microsoft, we may award a differential to the person submitting the duplicate report.
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program. 

Bounty is just one of the ways we recognize researchers who help us protect Microsoft customers. If you submission is not eligible for bounty awards, you may still Researcher Recognition points and public acknowledgement for your contribution to fixes and updates. 

We’re constantly evaluating our programs to determine how to strengthen and grow our partnership with the global security research community to protect Microsoft’s customers.

Protecting customers is Microsoft's highest priority. We endeavor to address each vulnerability report in a timely manner. While we are doing that, we require that all submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the vulnerability is fixed. You may receive an award prior to the fix being released and award should not be taken as notification of fix completion.
  • Please contact bounty@microsoft.com if you intend to discuss the vulnerability after it has been fixed. This includes blog posts, public presentations, whitepapers and other media.
  • To give people time to update, we generally recommend waiting for at least 30 days after your submission has been fixed by Microsoft before discussing it publicly.

Yes. We want to know about a security vulnerability as soon as you’ve found it. If you plan to develop a functioning exploit after submitting the vulnerability, please contact bounty@microsoft.com. Depending on the bounty scope, a working exploit may be eligible for an additional bounty award.

Assessment typically takes 14 business days from the time a case is created. Please provide any additional information or respond to questions from your case manager within this time frame in order to help our engineering team reproduce your report as easily as possible.

Microsoft partners with HackerOne and Bugcrowd to deliver bounty awards to eligible researchers. HackerOne and Bugcrowd help us deliver bounty awards quickly, and with more award options like Paypal, Payoneer, charity donations, crypto currency, or direct bank transfer in more than 30 currencies. Microsoft bounty awards distributed via HackerOne or Bugcrowd will also contribute to a researcher’s overall reputation on the provider's platform.

Microsoft manages our Bounty Programs independently from the HackerOne and Bugcrowd platforms. Vulnerability reports must be submitted directly to Microsoft through the MSRC Submission Portal or secure@microsoft.com, and the details of those submissions will not be shared with out payment provider partners. Our payment provider partners will only receive information about the award amount, case number, and case severity. Any questions about the status of a submission assessment, fix, or release should be directed to Microsoft. 

We recommend all researcher use either HackerOne or Bugcrowd to receive their bounty awards. Researcher who are unable to use one of these providers may choose to use Microsoft’s corporate payment system to receive bounty awards. Awards through our corporate system may take 1 to 3 months to process, significantly longer than award delivered through HackerOne or Bugcrowd. 

If you are submitting your own mitigation bypass idea that you invented, then you do not need to pre-register. Simply send it to secure@microsoft.com. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email bounty@microsoft.com to get started. Please see complete program terms here.

Yes, if the defense submission qualifies as being new and practical as defined in the terms, your submission may be eligible for bounty award. If you have a defensive technique and corresponding exploits to prove the technique works, you may be eligible for this program.