Google, Microsoft bump bug bounties

Googles' rise is permanent, Microsoft wants you to give Office 365 a beating

10 Reg comments Got Tips?

Google and Microsoft have both increased the cash on offer under their bug bounty programs.

Google's increases are permanent, in recognition of what security program manager Josh Armour says is an environment in which “high severity vulnerabilities have become harder to identify over the years.” Google's therefore going to pay more to reflect the time it takes to find nasty flaws.

Google's priority remains remote code execution flaws, which can now earn white hats up to US$31,337. Google's ceiling for payments used to be $20,000.

Finding a bug that permits “unrestricted file system or database access” can now result in $13,337 heading your way, up from $10,000.

A full list of what Google is looking for, and will pay for, can be found here.

Microsoft's also increased its payouts, but only for two months and for a handful of services.

The good news is that Redmond's doubled payouts for vulns that meet its criteria, namely any of the following:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by user)

The bonus bounties apply only on the following platforms.

  • *

Microsoft's not said why it's made the special offer for those domains, but clearly it feels they need to be given a thorough going-over. The Register can offer a couple guesses as to why. A simple reason could be that they just haven't attracted many bounty hunters. Another could be that they are running new code worthy of extra probing. The timing of the bloated bounty is also interesting, because as by the start of May we'll be very close to the launch of the Windows 10 Creators Update. That release, we already know, will link with Office 365 Advanced Threat Protection. Coincidence? With $30k up for grabs, does it even matter? ®


Biting the hand that feeds IT © 1998–2020