Microsoft will expand bug bounties - even on programs without official payouts
Microsoft introduces 'In Scope by Default' bug bounty incentives
- Microsoft's 'In Scope by Default' bug bounty program is now open to submissions
- Proprietary, third-party and open source code are all included
- Microsoft paid out more than Google last year ($17 million)
Microsoft has announced an important change to the company's bug bounty program – security researchers will now be eligible to submit critical vulnerability reports across all company products and services, even where no formal bounty was available before.
The new 'In Scope by Default' approach was announced by the company's Security Response Center's Engineering VP, Tom Gallagher, at Black Hat Europe.
Gallagher explained Microsoft paid out $17 million in bounties last year for "high-impact security research" across both Microsoft-owned domains and services, as well as third-party code that impacted Microsoft's online services.
'In Scope by Default'
"If a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award," Gallagher wrote.
He explained how ultimately, Microsoft wants to "incentivize research on the highest risk areas," and this spans across Microsoft, third-party and open-source code.
For areas that aren't currently covered by a bounty program, Microsoft says payouts will be measured by severity, suggesting that the same class of vulnerability will earn the same reward regardless of whether it's found in Microsoft's code or externally.
Microsoft broadening its bug bounty program is big news, putting it miles ahead of Google, which currently focuses on core products like Google Cloud, Android and Chrome.
Google recently also added AI-specfiic rewards for Gemini, Google Search and Workspace, but even these are still defined by categories rather than being fully open like Microsoft's 'In Scope by Default'.
Google paid out $11.8 million in vulnerability reward program incentives in 2024.
The changes to Microsoft's bug bounty program come after a series of updates throughout 2025, including the expansion and revision of the Copilot Bounty Program, Identity Bounty Program, Defender Bounty Program, M365 Bounty Program, Dynamics 365 & Power Platform Bounty Program, and Windows Bounty Program.
