- Microsoft’s ‘In Scope by Default’ bug bounty program is now open for submissions
- Proprietary, third-party, and open source are all included
- Microsoft paid out more than Google last year ($17 million)
Microsoft has announced an important change to the company’s bug bounty program – security researchers will now be eligible to submit critical vulnerability reports across all of the company’s products and services, even where no formal bounty was available before.
The new ‘In Scope by Default’ approach was announced by the company’s Security Response Centers Engineering VP, Tom Gallagher, at Black Hat Europe.
Gallagher explained that Microsoft paid out $17 million in bounties last year for “high-impact security research” across both Microsoft-owned domains and services, as well as third-party code that affected Microsoft’s online services.
‘In scope as standard’
“If a critical vulnerability has a direct and demonstrable impact on our online services, it is eligible for a bounty,” Gallagher wrote.
He explained how Microsoft ultimately wants to “encourage research in the highest risk areas,” and this spans Microsoft, third-party and open source code.
For areas not currently covered by a bounty program, Microsoft says payouts will be measured by severity, suggesting that the same class of vulnerability will earn the same reward whether it resides in Microsoft’s code or externally.
Microsoft’s expansion of its bug bounty program is big news, putting it miles ahead of Google, which currently focuses on core products like Google Cloud, Android and Chrome.
Google also recently added AI-specific rewards for Gemini, Google Search and Workspace, but even these are still defined by categories rather than being completely open like Microsoft’s ‘In Scope by Default’.
Google paid out $11.8 million in Vulnerability Rewards Program incentives in 2024.
The changes to Microsoft’s bug bounty program come after a series of updates throughout 2025, including the expansion and revision of the Copilot Bounty Program, the Identity Bounty Program, the Defender Bounty Program, the M365 Bounty Program, the Dynamics 365 & Power Platform Bounty Program, and the Windows Bounty Program.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
