CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Microsoft Bug Bounty Program Expanded to Third-Party Code

All critical vulnerabilities in Microsoft, third-party, and open source code are eligible for rewards if they impact Microsoft services. The post Microsoft Bug Bounty Program Expanded to Third-Party Code appeared first on SecurityWeek.

Microsoft bug bounty

Microsoft on Thursday announced a massive expansion to its bug bounty program, which now also covers third-party and open source code.

As long as a critical vulnerability impacts Microsoft’s services, the researcher who finds and reports it is eligible for a bug bounty reward.

“If a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue,” Microsoft VP Tom Gallagher says.

Microsoft explains that this ‘In Scope by Default’ approach aligns with hackers’ view of the attack surface: all security defects matter.

“In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit,” Gallagher notes.

In short, security researchers looking for weaknesses in areas of high interest to threat actors are welcome to submit vulnerability reports through the Microsoft bug bounty program.

“If Microsoft’s online services are impacted by vulnerabilities in third-party code – including open source, we want to know. If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code,” Gallagher says.

The update has taken effect immediately, and Microsoft’s bug bounty program now includes all online services by default. New services are considered in scope as soon as they are launched.

The expanded Microsoft bug bounty program is the latest change the company has made as part of the Secure Future Initiative it announced in 2023, and follows the naming of two new Operating CISOs this week.

Related: CISO Conversations: Are Microsoft’s Deputy CISOs a Signpost to the Future?

Related: Microsoft Offers $5 Million at Zero Day Quest Hacking Contest

Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days

Related: Microsoft Unveils Security Enhancements for Identity, Defense, Compliance

Latest News

CYBERNEWSMEDIAPublisher