If you find a bug in a popular application from a large company, there is a good chance that they offer a ‘bug bounty’ program where you can report the issue and make a little bit of money for uncovering the flaw. These programs have been around for some time but surprisingly, Microsoft did not offer a reward for reporting issues with Windows.
Starting today, Microsoft is expanding programs it has offered as far back as 2012, to include Windows 10 in addition, to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. Payouts can range from as low as $500 for finding a flaw in an Insider preview build to $250,000 for an issue with Hyper-V.
These types of bounty programs are necessary in a world where exploits found in a program can be sold to nation states or to other malicious groups to create ransomware. With Microsoft now offering a direct payout for reporting security flaws in its products for Windows, the goal is to reduce the number of exploits released in the wild and make Windows a more secure product.
What’s odd is that it has taken Microsoft this long to create a Windows 10 bounty program. You would think they would want everyone to report any flaw to them right away but when there is financial gain to be made by keeping an exploit private, there is little incentive to do so unless Microsoft was willing to offer a reward which they previously were not doing.