This document answers frequently asked questions about bounty programs. Please see the Microsoft Bounty Terms for the full terms and conditions that apply to the Microsoft Bounty Program.  
|

Sumbit your finding to Microsoft, including instructions to reproduce the vulnerability), using the bug submission guidelines found here.
 
Some important notes:
 
  • We request you follow Coordinated Vulnerability Disclosure (CVD) when reporting all vulnerabilities to Microsoft, as submissions that do not follow CVD may not be eligible for bounty and could disqualify you from future participating in bounty programs in the future.
  • Microsoft is not responsible for submissions that we do not receive for any reason.
  • Microsoft will exercise reasonable efforts to clarify indecipherable or incomplete submissions, but more complete submissions are often eligible for higher bounties (see program rate tables for details).
  • There are no restrictions on the number of qualified submissions an individual submitter can provide and potentially be paid bounty for.

  1. You will receive an email stating that we have received your submission.
  2. Our engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.
  3. After your submission has been validated, we will contact you to provide the necessary paperwork to process your award if eligible.
  4. You will complete tax documentation paperwork. After we receive that paperwork and confirm that you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty.
  5. We will recognize most individuals who have been awarded bounties through our security researcher acknowledgements or our Online Services Security Acknowledgements.

Please see the Program Eligibility section of the Microsoft Bounty Terms.

Please see the Program Eligibility section of the Microsoft Bounty Terms.

Yes, an organization will be required to complete a pre-registration process in order to participate in the program. Please email bounty@microsoft.com for complete details.

  • Microsoft retains sole discretion in determining which submissions are qualified, according to the rules of each program.
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission.
  • If a duplicate report provides new information that was previously unknown to Microsoft, we may award a differential to the person submitting the duplicate report.

We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from public acknowledgements to invitations to events like the researcher appreciation party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.

Protecting customers is Microsoft's highest priority. We endeavor to address each vulnerability report in a timely manner. While we are doing that we require that bounty submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Microsoft will notify you when the Vulnerability in your submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion
  • Please contact bounty@microsoft.com if you intend to discuss the vulnerability after it has been fixed. This includes blog posts, public presentations, whitepapers and other media.
  • To give people time to update, we generally recommend waiting for at least 30 days after your submission has been fixed by Microsoft before discussing it publicly.

Yes. We want to know about a security vulnerability as soon as you’ve found it. We will award you the bounty for the vulnerability reported. If you give us the functioning exploit within 90 days of submitting the vulnerability, we will top it off and award you any additional bounty amount for high quality or functional exploit reporting. For example, if you submit a critical RCE you will receive $6,000 during the adjudication. When you submit the functioning exploit within 90 days, you will receive the additional $9,000.

We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.

If you are submitting your own mitigation bypass idea that you invented, then you do not need to pre-register. Simply send it to secure@microsoft.com. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email bounty@microsoft.com to get started. Please see complete program terms here.

Yes, if the defense submission qualifies as being new and practical as defined in the terms, we will award up to $100,000 USD for a defense that can block existing mitigation bypasses. If you have a defensive technique and corresponding exploits to prove the technique works, you will be eligible for this program.