Microsoft launched its new Microsoft Defender Bounty Program with a focus on Defender products and services. The company will pay up to $20,000 for the vulnerabilities in its Defender products.
The bug bounty program starts with Defender for Endpoint APIs, but other products will be covered by the company program.
“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team.” reads the announcement. “The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs and will expand to include other products in the Defender brand over time. Qualified submissions are eligible for bounty rewards from $500 to $20,000 USD.”
Bug hunters can submit critical or important severity vulnerabilities that affect the latest, fully patched version of the product or service.
The IT giant will pay $20,000 for critical-severity remote code execution (RCE) vulnerabilities. The company is willing to pay up to $8,000 for critical elevation of privilege and information disclosure flaws. The company may offer up to $3,000 for spoofing and tampering vulnerabilities.
In-scope vulnerabilities include:
White hat hackers can submit reports through the MSRC Researcher Portal indicating which high-impact scenario (if any) the report qualifies for and the attack vector for the vulnerability.
(SecurityAffairs – hacking, Microsoft Defender)