- Microsoft’s ‘In Scope by Default’ bug bounty program is now open for submissions
- Proprietary, third-party, and open source code included.
- Microsoft paid more than Google last year ($17 million)
Microsoft has announced a major change to the company’s bug bounty program: security researchers will now be able to submit reports of critical vulnerabilities across the company’s products and services, even when no formal bounty was previously available.
The new ‘In Scope by Default’ approach was announced by the company’s Security Response Center vice president of engineering, Tom Gallagher, at Black Hat Europe.
Gallagher explained that Microsoft paid $17 million in rewards last year for “high-impact security investigations” into both Microsoft domains and services, as well as third-party code that affected Microsoft online services.
‘In default scope’
“If a critical vulnerability has a direct and demonstrable impact on our online services, you are eligible to receive a reward,” Gallagher wrote.
He explained how Microsoft ultimately wants to “incentivize research in the highest risk areas,” and this encompasses Microsoft, third-party, and open source code.
For areas not currently covered by a bounty program, Microsoft says payouts will be measured by severity, suggesting that the same class of vulnerability will earn the same reward regardless of whether it is found in Microsoft’s code or externally.
Microsoft expanding its bug bounty program is big news, putting it well ahead of Google, which is currently focused on core products like Google Cloud, Android, and Chrome.
Google also recently added AI-specific rewards for Gemini, Google Search, and Workspace, but even these are still defined by categories rather than being completely open like Microsoft’s ‘In Scope by Default’.
Google paid $11.8 million in vulnerability bounty program incentives in 2024.
The changes to Microsoft’s bug bounty program come after a series of updates throughout 2025, including the expansion and overhaul of the Copilot Bounty program, the Identity Bounty program, the Defender Bounty program, the M365 Bounty program, the Dynamics 365 & Power Platform Bounty program, and the Windows Bounty program.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
