Key Highlights
- The initial scope covers a wide span of Microsoft’s consumer AI services, including Bing chatbots, Microsoft Start, Skype mobile app, and more.
- Microsoft’s new bounty program offers substantial rewards ranging from $2,000 to $15,000 per qualifying bug report.
- The program welcomes submissions from any qualified security researcher worldwide, regardless of experience level.
Microsoft announced the launch of an expansive new bug bounty program on Thursday, aimed at incentivizing security researchers across the globe to identify and responsibly disclose vulnerabilities in the company’s rapidly expanding suite of AI-powered Bing services and applications.
The program offers substantial bounties ranging from $2,000 to $15,000 per qualifying vulnerability report, with the highest rewards reserved for the most critical and impactful bugs.
According to Microsoft, the top bounty for a single qualifying submission could reach up to $200,000 for vulnerabilities that have an extremely severe potential impact.
Bolstering AI System Security a Priority
This represents the latest ramping up of Microsoft’s ongoing investments in bolstering the security and integrity of its AI systems. As the company has moved to integrate progressively more advanced AI capabilities across its consumer and enterprise product lines, it has made AI security a high priority.
Over the past few years, Microsoft has steadily expanded its in-house AI security research teams in addition to collaborating closely with academics and partner organizations across the industry.
Leveraging Global Security Research Community
With the new bounty program, Microsoft is aiming to tap into the immense talent of the global cybersecurity research community to surface vulnerabilities that may elude even its own expert security team.
Also Read: Microsoft and Flutterwave partner to drive payment innovation and support African SMEs
The company strongly believes that the expanded incentive structure will enable the discovery of critical flaws that could otherwise slip through the cracks.
Open to All Qualified Researchers
The program is open to all qualified security researchers regardless of location and experience level. Participants can register and submit vulnerability reports through the Microsoft Security Research Center portal.
Also Read: Microsoft reverses OneDrive photo storage change after user backlash
In addition to cash incentives, the company says bounty recipients will be well-recognized and credited for their contribution to improving Microsoft’s AI security posture.
Scope Covers Wide Range of Bing AI Services
The initial scope encompasses a wide range of Microsoft’s consumer-facing AI services and functionality:
- Bing AI features on bing.com accessed through web browsers like Microsoft Edge, including Bing Chat, Bing Chat for Enterprise, and Bing Image Creator
- AI-enhanced Bing integration in the Microsoft Start apps for iOS and Android devices
- AI-enhanced Bing features within the Skype mobile app on iOS and Android
- Broad new areas of Bing AI capabilities on intelligent edge devices and other platforms as Microsoft continues expanding access
Qualification Criteria
To qualify for bounty rewards, program participants must be the first to report previously unknown vulnerabilities and provide clear reproduction steps along with an analysis of potential impact severity. Payout amounts will be assessed based on these factors.
Driving More Secure AI Development
Last year alone, Microsoft paid out over $13 million to security researchers reporting qualifying vulnerabilities through its bug bounty programs, highlighting the immense value derived from community-driven security research.
With AI emerging as the new paradigm in software development, the company hopes its expanded bounties will help secure AI-powered functionality across its ecosystem.
