Microsoft Bug Bounty Program Expanded to Third-Party Code

All critical vulnerabilities in Microsoft, third-party, and open source code are eligible for rewards if they impact Microsoft services.

Microsoft on Thursday announced a massive expansion to its bug bounty program, which now also covers third-party and open source code.

As long as a critical vulnerability impacts Microsoft’s services, the researcher who finds and reports it is eligible for a bug bounty reward.

“If a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue,” Microsoft VP Tom Gallagher says.

Microsoft explains that this ‘In Scope by Default’ approach aligns with hackers’ view of the attack surface: all security defects matter.

“In an AI and cloud-first world, threat actors don’t limit themselves ...