Microsoft bounty program now includes any flaw impacting its services

Microsoft bounty program now includes any flaw impacting its services

By Sergiu Gatlan
Publication Date: 2025-12-11 16:00:00

Microsoft now pays security researchers for finding critical vulnerabilities in any of its online services, regardless of whether the code was written by Microsoft or a third party.

This policy shift was announced at Black Hat Europe on Wednesday by Tom Gallagher, vice president of engineering at Microsoft Security Response Center.

As Gallagher explained, attackers don’t distinguish between Microsoft code and third-party components when exploiting vulnerabilities, prompting the company to expand its bug bounty program to cover all Microsoft online services by default, with all new services in scope as soon as they are released.

The program now also includes security flaws in third-party dependencies, including commercial or open-source components, if they impact Microsoft online services. 

“Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code…