Microsoft goes big in security bug bounties: Its $13.7m is double Google’s 2019 payouts

Microsoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year.

Microsoft’s bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies.

Windows 10

The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year.

“The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude,” said members of the Microsoft Security Response Center in a blogpost.

Flaws reported to Microsoft and other vendors via bug bounties can help reduce the number of so-called zero-day exploits that attackers can use to compromise systems before a vendor supplies a security patch to block them. Providing patches to users also helps protect systems from attacks after the vulnerability has been disclosed.

Microsoft’s total annual bug-bounty payouts are now much larger than Google’s awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year’s payouts from the ad and search giant, which called it a “record-breaking year”.

Microsoft’s larger expenditure on bug-bounty payouts could be justified, according to new data released by Google’s bug hunting squad, Google Project Zero or GPZ.

GPZ this week revealed that there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year. The discovery of these exploits is rare: Microsoft patched 115 vulnerabilities in March alone. But Microsoft software made up four of the 11 exploits that Google discovered were being used in the wild in 2020.

The Microsoft flaws included the bug in Internet Explorer, CVE-2020-0674, that Microsoft patched in February. Then there were three more Windows memory-corruption bugs that were exploited before Microsoft’s patches released this year.

In 2019, according to GPZ statistics, 11 of the 20 zero-days under attack that year affected Microsoft products, which was much higher than exploited zero-days from any other vendor, including Google.

However, Google noted that there was detection bias towards Microsoft because there are more security tools specialized in detecting Windows bugs.

Microsoft says the higher total payouts this year is because it launched six new bounty programs and two new research grants. These attracted over 1,000 eligible reports from over 300 researchers.

Microsoft also suggests COVID-19 social distancing prompted an uptick in security research activity.

“Across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic,” Microsoft said.