Security has been a painful issue for Microsoft on several occasions in recent years. However, the tech giant is now drastically expanding its bug bounty program. All critical vulnerabilities affecting online services will now be eligible for rewards, regardless of whether they involve proprietary code, third-party software, or open source. The approach, summarized under the term “In Scope by Default,” suggests a positive shift in Microsoft’s security posture.
The American tech company announced the expansion during Black Hat Europe. Tom Gallagher, VP of Engineering at Microsoft Security Response Center, emphasizes that attackers do not limit themselves to specific products or services. “They don’t care who owns the code they are trying to exploit. The same approach should apply to the security community.”
A slap on the wrist
This is a positive message from Microsoft, which itself seemed to have downplayed the priority of security within its own software. Wake-up calls came in the form of compromises by the Russians and Chinese, while the US Cyber Safety Review Board delivered a damning assessment of Microsoft’s security practices.
Such attacks should now be a thing of the past, at least compromises for which Microsoft is largely to blame. Improvements were also needed in order to continue to promote its own cloud offering, its own applications, and its leading role within the IT ecosystem. Now, the revamped bug bounty program appears to be a sign of this hoped-for improvement. We therefore hope to write more often about positive initiatives, not only from Microsoft, of course. In any case, the broad scope of this program sounds extremely positive.
Third parties and open source included
Historically, each Microsoft product had a defined scope within the bounty program. That restriction is now largely disappearing. If a critical vulnerability has a direct and demonstrable impact on online services, it is eligible for a reward. This also applies to problems in third-party code or open-source components. So there is certainly a subjective component to this, because bug bounty requests must make clear why Microsoft benefits from them, but that is common in such programs.
Microsoft recognizes that security issues often arise where components connect to each other or where there are dependencies. The company values research that takes this broader context into account. Microsoft domains and corporate infrastructure are now also covered by the program, even where no bounty scheme previously existed.
With the rise of AI and agentic workflows, this interaction between components and applications is particularly vulnerable, especially if organizations are too generous in providing access to AI systems. A malicious actor could exploit this opportunity for interaction, possibly in ways that AI helps to find.
Immediate impact after adoption
As soon as a new service appears, it automatically falls within the scope. That is the concrete meaning behind the “In Scope by Default” title. This saves researchers from uncertainty about what can and cannot be investigated. Microsoft promises to fix all reported issues, regardless of the owner of the code.
Last year, the company paid out more than $17 million to researchers through bug bounties and Zero Day Quest. That effort proved necessary: security vulnerabilities in critical services have potentially enormous consequences. In addition, Microsoft often needs to apply certain rules, even if they sometimes encounter restrictions from regulators. Consider access to the kernel for security products, which on July 19, 2024, led to the global CrowdStrike outage, resulting in millions of Windows systems going down. Last year, Microsoft held a security summit to prevent this from happening again, focusing on the role that kernel mode can and cannot play in protecting endpoints.
Extra attention
The expansion of the bug bounty program focuses specifically on high-risk areas where attackers are most active. Microsoft domains and cloud services will receive extra attention. Security researchers can detect problems that insiders cannot, because as outsiders they think like an attacker.
Research must be conducted in accordance with the Rules of Engagement for Responsible Security Research. These guidelines protect customer data and privacy. Researchers must comply with them before they begin. They can then submit their findings for review and coordinated disclosure.
The new approach would probably not have taken place if Microsoft were not promoting security initiatives in a broader sense, both internally and now externally. The company is working with the security community to prioritize security in all activities. The new approach was already explained at the end of 2023, when the Secure Future Initiative was launched.