bit-tech.net

Microsoft, Google boost bounty payouts

Microsoft, Google boost bounty payouts

Microsoft and Google have both increased their maximum bug bounty payouts, in some cases doubling the previous maximum available to researchers.

Microsoft and Google have both announced increased payouts for their respective bug bounty programmes, which offer security researchers cash in exchange for private disclosure of critical security flaws.

Bug bounty programmes are becoming increasingly popular among technology companies, with Apple recently launching its own following Microsoft's 2013 launch and Google's long-running, publicly accessible programmes. For every company willing to pay large sums for security flaws, though, there's a malicious actor waiting in the wings to pay even more - which is, it's fair to surmise, likely why both Google and Microsoft have announced that they are increasing their bounty payouts.

Microsoft's programme expansion runs through until May this year and doubles the value of vulnerabilities discovered in its Exchange Online and Office 365 Admin platforms from a minimum payout of $500 to $1,000 and a maximum payout of $15,000 to $30,000. Other bounty programmes run by the company, including those paying out for bugs found in its Windows platform, have not been increased. Google, meanwhile, is increasing its own bounties while also paying homage to 133t h4ck3r culture: Remote code execution vulnerabilities are now eligible for payouts of up to $31,337 from $20,000 and file system or database access vulnerabilities up to $13,337 from $10,000. Payouts for other vulnerabilities - including cross-site scripting attacks and security control bypass attacks - remain unchanged.

Those who fancy chancing their arm at finding an eligible flaw can find more information regarding the bounties on Microsoft's Security TechCentre and Google's Reward Programme hub.

3 Comments

Discuss in the forums Reply
Flibblebot 3rd March 2017, 13:52 Quote
Quote:
Originally Posted by Article
from a minimum payout of $500 to $100
Missing a zero...?

It still all boils down to who is quicker: the bug hunters or the 1337 hackers? No amount of money will change that dynamic.
Gareth Halfacree 3rd March 2017, 14:08 Quote
Quote:
Originally Posted by Flibblebot
Missing a zero...?
Yes. Yes, I am. I'll go fix, ta!
Quote:
Originally Posted by Flibblebot

It still all boils down to who is quicker: the bug hunters or the 1337 hackers? No amount of money will change that dynamic.
Except the point of a bug bounty is that you can tempt the 1337 h4xx0rz as well. What's more fun: hacking Google's homepage to say CRASH OVERRIDE WOZ ERE and risking arrest, or telling Google how to hack the homepage and walking away with tens of thousands of dollars?

The bigger risk is that while Google will give you $31,337, A. N. Other National Security Outfit will give you $500,000 for the same vulnerability.
Flibblebot 3rd March 2017, 16:14 Quote
Quote:
Originally Posted by Gareth Halfacree
The bigger risk is that while Google will give you $31,337, A. N. Other National Security Outfit will give you $500,000 for the same vulnerability.
Surely you can't be talking about state-sponsored hacking? Because the Trumpster says it doesn't happen, and if he says it then it must be true. You're in danger of being branded as fake news and being banned from White House press briefings :D
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums