Practical advice for earning higher Microsoft bounty awards

Posted on Tuesday March 12, 2019  |  MSRC alerts

This year at the Nullcon International Security Conference I shared practical advice for how security researchers can maximize the impact of their security vulnerability submissions and earn higher bounty awards under the Microsoft Bounty Program. For those who couldn't be there, I had two core pieces of advice.

• First, focus vulnerability research on the products and services that are eligible for bounty rewards. The eligible scope is published on our website. We expand our programs throughout the year, so check back regularly for new potential areas to research and follow us on Twitter for announcements of new bounty programs.
• Second, when reporting security vulnerabilities, provide clear, concise information to help our engineering teams reproduce the vulnerability for themselves. Detailed and well written instructions, or even short videos can more than double the possible award amount for bounty eligible properties.

In addition to talking about vulnerability hunting in Microsoft’s bounty programs, we also want to help security researchers develop their skills. This year we sponsored more than 20 researchers to attend the conference, which included hands on training and workshops on hardware and software security. With almost 2000 attendees from across India, Nullcon was a great place to connect with the security researcher community across the region and see excellent technical talks from James Forshaw, Jaya Baloo, and others . Thanks to Antriksh Shah and the team at Payatu for bringing everyone together for such a great event.

Thank you to everyone who I met at Nullcon and to those who attended my talk. For more details and some real-world examples of high quality and high reward submissions, check out my presentation slides here.

Happy Hacking!
Jarek Stanley, @JarekMSFT
Senior Program Manager
MSRC

All Microsoft Bug Bounty Programs are subject to the terms and conditions outlined here.

The Microsoft Security Response Center is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse.