Microsoft trumps Google for 2021-22 bug bounty payouts
Another $13.7m handed out to researchers, but then again it does have an awful lot of attack surfaces
Microsoft appears to have beat Google on the bug bounty front, with $13.7 million in rewards spread out over 335 researchers.
Google, in comparison, awarded $8.7 million during 2021; a figure it described as "record breaking." Microsoft's numbers run from July 1, 2021, to June 30, 2022. With its Office productivity suite and Windows operating systems, Microsoft has an impressive attack surface with all manner of legacy code through which attackers might poke holes.
The biggest prize awarded by Microsoft was $200,000 under the Hyper-V Bounty Program and the average award was $12,000.
If you're suffering from a bit of déjà vu, we understand. The figure is exactly the same as that revealed in 2020 (itself a more than trebling of the $4.4m awarded during the same period the previous year). The Register contacted Microsoft to check that there had been no embarrassing whoopsies in the copy-paste department and will update should the software giant respond.
Two years on, and there is a slight drop in eligible vulnerability reports and an equally slight increase in the number of researchers awarded.
Microsoft has made some changes this year, paying up to $26,000 more for "high impact" bugs turned up in its Office 365 product line. Other awards were increased by up to 30 percent.
We spoke to Google's bug bounty boss earlier this week, who described simply finding and patching vulnerabilities as "totally useless" – the real payoff was what the company could learn from the exploits and the work of researchers, who are often motivated more by curiosity than financial reward (although the latter certainly does not harm).
- Google's bug bounty boss: Finding and patching vulns? 'Totally useless'
- Student crashes Cloudflare beta party, redirects email, bags a bug bounty
- Pentagon: We'll pay you if you can find a way to hack us
- Feds offer big rewards for info on suspected Russian Sandworm intel officers
While bug bounty programs undoubtedly encourage the responsible disclosure of vulnerabilities, they also have their critics.
Microsoft Bug bounty: “would you like to sell your bug to the government for $1m or give it to Microsoft for less than minimum wage”— Marcus Hutchins (@MalwareTechBlog) February 3, 2022
Web3 Bug bounty: “would you like to report the bug in return for the content of this mystery box or steal literally all the money we have”
Microsoft has continued to tinker with its bug bounty program, with the addition of attack scenarios on Azure, Dynamics 365, and its Power Platform. ®