Bug bounty programs are so popular these days that it’s hard to remember there was a time when most technology companies and governments considered the thought with anxiety and would never consider paying for vulnerabilities.
In fact, about 3 years before I launched Microsoft’s first bug bounties, while I was working at Microsoft, company executives vowed never to pay researchers for bugs. Why should they, when Microsoft was already receiving several hundred thousand free bug reports each year from researchers around the world?
To get to the world we have today, where vulnerability disclosure programs and bug bounties abound, we should understand the history of where it all began.
And that was with Netscape’s $500 bug bounty in 1995. Nothing much changed until Google offered $1,337 per security bug in 2010, where the only target in scope was the then-two-year-old Chrome browser. I recall my friend at Google who had started their bug bounties saying all it took for him was a short blog post plus an initial budget proposal to get Google’s full support and approval – relatively little time on his part. For me, it was a journey of three years of meetings, data analysis, game theory, and economic theory.
Data Over Dogma
I had data showing that even if we paid $5,000 per bug, we could cover Windows, Office, and Internet Explorer for three versions back on each, at a total cost of less than $1.9M. That was less than the cost to create and test just one emergency out-of-band patch.
It seemed logical – until you factor in the obvious. Microsoft was already getting those bugs for free, either directly from security researchers, or through third-party vulnerability brokers like the Zero Day Initiative who bought bugs and gave them to Microsoft for free but would only hold the bugs privately for 120 days before making the details public.
Finally, I found a crack in the corporate resistance to bug bounties – external deadlines. So, Trustworthy Computing leadership gave me a task to prove: show them when more bugs were being reported via brokers with disclosure deadlines than were coming in directly from security researchers, and they would start paying bug bounties for direct reporting of bugs.
To prove a trend, we needed at least two years of data, so bug bounties at Microsoft were at least two years from a possible launch date.
That delay was not spent idly, and didn’t stop me from writing the first formal vulnerability disclosure policy at Microsoft and becoming the coauthor and coeditor of the ISO standards on Vulnerability disclosure and Vulnerability handling processes. Those standards are followed and written into laws around the world today.
I also got permission to license fuzzers and other vulnerability discovery tools from researchers, plus I was able to create The BlueHat Prize worth $200,000. Though it was not a bug bounty, The BlueHat Prize for defense was launched in 2011, awarded in 2012, and was a critical step forward toward the goal of priming Microsoft and other big vendors to pay hackers for their help.
Trends Turned the Tides
By then I had also accumulated enough data to prove that more bugs were being reported in Internet Explorer via third-party vulnerability brokers than directly to Microsoft.
I presented the trending data to the leadership team, showing them they could use a bug bounty program to encourage and focus researchers to help weed out beta product bugs and further reduce the need for almost immediate patching shortly after product launches.
Microsoft IE Preview Bug Bounty showing actual and projected reporting trends with bug submission results
On June 19, 2013, Microsoft announced a bug bounty program focused on Windows 8.1 and Internet Explorer 11 beta vulnerabilities, and the program officially launched on June 26, 2013.
The program worked. Microsoft received eighteen high to medium severity bug reports in the first thirty days of the IE 11 Beta period, four of which were sandbox escapes, for a total cost of less than $28,000. Microsoft was also able to reverse the third-party vulnerability reporting trend, resulting in Microsoft hearing about more vulnerabilities first before those bugs were shared with any outside party.
Microsoft IE Preview Bug Bounty showing a reverse in direct vs intermediary reporting trends after launch of Bug Bounties
Microsoft was also able to pay the first $100,000 Mitigation Bypass Bounty for a brand new exploitation technique to James Forshaw. Before that program, new exploitation techniques were previously often only discovered via active 0day exploitation in the wild. This was the first time any software company had ever specifically requested that information via a bug bounty program, and it was the largest vendor bug bounty payout that ran year-round at the time.
Comically large novelty check showing the first Microsoft Bug Bounty payment of $100,000 to James Forshaw
Since those early days, Microsoft has gone all in and fully supports paying incentives to security researchers for focusing on “high impact” areas. From July 1, 2022, to June 30, 2023, Microsoft paid $13.8 million in rewards to over 345 researchers across 45+ countries. Since its inception in 2013, Microsoft has awarded more than $60 million to thousands of security researchers from 70 countries.
Microsoft Bug Bounty July 1, 2018 - June 30, 2023 program stats and highlights
Bounties Abound
During the past decade, Microsoft’s Bug Bounty Program has been instrumental in improving the security of Microsoft's products and services. It has provided an opportunity for security researchers and hackers to report vulnerabilities to Microsoft, ultimately helping protect billions of users around the world.
If the biggest software company in the world could figure out a way to do it, couldn’t everyone?
The Microsoft Bug Bounties also paved the way for the first bug bounty program of the US government: Hack The Pentagon. This next pivotal event began not only a cascade of governments running vulnerability disclosure programs, but also mandating more vendors and critical infrastructure to start doing so as well. The world began to stop fearing hackers, finally starting to view us as allies in the fight against Internet crime.
It was a major leap forward in creating another powerful tool to unite defenders inside and outside of Microsoft, and a page from the book of Internet history that should not be forgotten.
Pictured above: Microsoft team members who helped launch the bug bounty program.
L-R: David Seidman, Gerardo di Giacomo, Mark Oram (via avatar), Mike Reavey, Dustin Childs, Leah Lease, Rob Chapman, Neil Sikka, Jacqueline Lodwig, Brandon Caldwell, Katie Moussouris, Nate Jones, Sweety Chauhan, Emily Anderson, Claudette Hatcher, Cynthia Sandwick, Stephen Finnegan, Manuel Caballero, Ben Richeson, Elias Bachaalany, David Ross, Cristian Craioveanu, Ken Johnson, Mario Heiderich, Jonathan Ness. Not pictured: Christine Aguirre, Danielle Alyias, Michal Chmielewski, Chengyun Chu, Jules Cohen, Bruce Dang, Jessica Dash, Richard van Eeden, Michelle Gayral, Cristin Goodwin, Angela Gunn, Joe Gura, Dean Hachamovitch, Chris Hale, Kyle Henderson, Forbes Higman, Andrew Howard, Kostya Kortchinsky, Jane Liles, Matt Miller, William Peteroy, Georgeo Pulikkathara, Rob Roberts, Matt Thomlinson, David Wheeler, Chris Williams. Behind the camera: Jerry Bryant.