Microsoft is accused of cutting bug bounty rewards by up to 90%, security researchers claim


According to allegations by several security researchers, Microsoft is allegedly making a mammoth reduction in its monetary rewards for the bug bounty. The Redmond giant has apparently cut the rewards for some of them by ten times, or 90%.

Marcus Hutchins (alias MalwareTech on Twitter) said one of the bug bounty rewards reduced one of its zero-day results to $ 1,000, which was previously $ 10,000.

As part of Microsoft’s new bug bounty program, one of my Zerodays went from $ 10,000 to $ 1,000

Some others have also expressed similar feelings. For example, recently a Hyper-V researcher and Twitter user @ rthhh17 stated that Microsoft’s rewards program was worth its Hyper-V remote code execution (RCE) vulnerability for just $ 5,000. His tweet suggests that the reward was reduced by a potentially much larger amount during the research process. We will come back to this at the end of the article.

BE CAREFUL! Microsoft will reduce your bounty anytime! This is a Hyper-V RCE vulnerability that can be triggered from a guest computer but is only eligible for a $ 5,000.00 reward under the Windows Insider Preview Bounty program. Unfair!

Finally, the most recent example is Windows security researcher Abdelhamid Naceri, who reportedly told BleepingComputer that he had publicly announced a new zero-day bug out of sheer frustration.

When BleepingComputer asked Naceri why he was publicly disclosing the zero-day vulnerability, we were told that he did so out of frustration at Microsoft’s declining payouts in their bug bounty program.

“Microsoft bounties have been destroyed since April 2020, I really wouldn’t do that if MSFT hadn’t made the decision to downgrade those bounties,” said Naceri.

Microsoft lists the following rewards (click the images below to enlarge) on their Microsoft Bug Bounty Program page:

While Hyper-V researcher @rthhh claims that their RCE vulnerability discovery is worth a $ 5,000 reward, Microsoft’s website states that such an entry is worth “up to $ 250,000” bounty (Fig in the middle above). From the point of view of the researcher, this would mean, in the worst case, a reduction in the bounty premium by 80%.

via BleepingComputer

Source link


Comments are closed.