Microsoft is now paying security researchers for finding critical vulnerabilities in any of its online services, even if the affected code was written by a third party or is open source.
The company announced this policy change at Black Hat Europe, with Tom Gallagher, VP of engineering at Microsoft Security Response Center, highlighting that attackers don’t differentiate between Microsoft code and third-party components.
Under the expanded program, any critical vulnerability with a direct impact on Microsoft online services is eligible for a bounty. This includes flaws in third-party dependencies, whether commercial or open source. Gallagher emphasized that Microsoft aims to incentivize research on the highest-risk areas—especially those that attackers are most likely to exploit. He added that researchers will be recognized and rewarded even in areas without existing bounty programs.
Over the past year, Microsoft has paid more than $17 million to 344 security researchers and $16.6 million to 343 researchers the previous year. The move is part of Microsoft’s broader Secure Future Initiative, which focuses on improving security across all its operations.
As part of this initiative, Microsoft has disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. It also updated Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols.
Other recent improvements include a new Teams feature that blocks screen capture attempts during meetings and plans to protect Entra ID sign-ins from script injection attacks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
