Skip links

Microsoft trumps Google for 2021-22 bug bounty payouts

Microsoft appears to have beat Google on the bug bounty front, with $13.7 million in rewards spread out over 335 researchers.

Google, in comparison, awarded $8.7 million during 2021; a figure it described as “record breaking.” Microsoft’s numbers run from July 1, 2021, to June 30, 2022. With its Office productivity suite and Windows operating systems, Microsoft has an impressive attack surface with all manner of legacy code through which attackers might poke holes.

The biggest prize awarded by Microsoft was $200,000 under the Hyper-V Bounty Program and the average award was $12,000.

If you’re suffering from a bit of déjà vu, we understand. The figure is exactly the same as that revealed in 2020 (itself a more than trebling of the $4.4m awarded during the same period the previous year). The Register contacted Microsoft to check that there had been no embarrassing whoopsies in the copy-paste department and will update should the software giant respond.

Two years on, and there is a slight drop in eligible vulnerability reports and an equally slight increase in the number of researchers awarded.

Microsoft has made some changes this year, paying up to $26,000 more for “high impact” bugs turned up in its Office 365 product line. Other awards were increased by up to 30 percent.

We spoke to Google’s bug bounty boss earlier this week, who described simply finding and patching vulnerabilities as “totally useless” – the real payoff was what the company could learn from the exploits and the work of researchers, who are often motivated more by curiosity than financial reward (although the latter certainly does not harm).

While bug bounty programs undoubtedly encourage the responsible disclosure of vulnerabilities, they also have their critics.

Microsoft has continued to tinker with its bug bounty program, with the addition of attack scenarios on Azure, Dynamics 365, and its Power Platform. ®

Source