Microsoft expands Bug Bounty scheme to include third-party software | Computer Weekly

Microsoft expands Bug Bounty scheme to include third-party software | Computer Weekly

Briefly

"The company is extending its reward programme to cover vulnerabilities in software that could affect services provided by the company, irrespective of whether it is owned and managed by Microsoft. Microsoft awarded more than $17m to security researchers through its bug bounty programmes and live hacking events this past year, and expects to offer more in 2026. The Redmond-based company said the programme, dubbed "in scope by default", will extend its bug bounty scheme to include serious vulnerabilities that affect Microsoft cloud services."

"It will offer bounties for third-party and open source code in cases where there is no existing bug bounty programme available, if they have an impact on Microsoft's online products. Microsoft claimed it "would do whatever it takes" to ensure that bugs in open source and third-party software are fixed. "This could be writing patches or offering support to help the code owner address," it said. "The level of support will depend on what is needed on a case-by-case basis.""

"The new bounty programme will take a "holistic approach", reflecting the ways that hostile hackers find to attack systems, which often involves finding vulnerabilities between the boundaries of different software products. Tom Gallagher, vice-president for Microsoft Security Response Centre, said the change will ensure there are stronger protections against vulnerabilities in supply chains that can be used by attackers to "pivot" into high-value targets."