Microsoft accused of cutting error rewards by up to 90%, security researchers say

According to accusations by several security researchers, Microsoft is allegedly significantly reducing the cash bounty reward for the bug bounty. The Redmond giant has apparently cut the rewards for some of them tenfold, or 90%.

For example, last year Marcus Hutchins (aka MalwareTech on Twitter) said that the error reward for one of his zero-day conclusions was reduced to $ 1,000, down from $ 10,000 previously.

Under Microsoft’s new bug bounty program, one of my zero days went from $ 10,000 to $ 1,000.

Some others also share similar sentiments. For example, Hyper-V researcher and Twitter user @ rthhh17 recently stated that Microsoft’s reward program estimates its Hyper-V Remote Code Execution (RCE) vulnerability is only $ 5,000. According to his tweet, the bounty has been reduced from perhaps a much larger amount in the process of research. We’ll come back to this at the end of the article.

BE CAREFUL! Microsoft will reduce your reward at any time! This is a Hyper-V RCE vulnerability that can be activated from a guest machine, but is eligible for a $ 5,000 reward from the Windows Insider Preview Rewards Program. Unfair!

And finally, the most recent example is Windows security researcher Abdelhamid Naseri, who reportedly told BleepingComputer that he publicly disclosed a new zero-day bug out of complete frustration.

When BleepingComputer asked Naseri why he publicly disclosed the zero-day vulnerability, we were told that he did so out of frustration with Microsoft’s declining bounty payout program.

“The Microsoft bounty has been canceled since April 2020, I really wouldn’t have done it if MSFT hadn’t decided to lower those premiums,” Naseri explained.

Microsoft lists the following awards (click the images below to enlarge) on its Microsoft Bug Bounty page :

Microsoft Bug Bounty Awards Microsoft Bug Bounty Awards Microsoft Bug Bounty Awards

Interestingly, while Hyper-V researcher @rthhh claims that his discovery of the RCE vulnerability was deemed worthy of a $ 5,000 reward, Microsoft’s website states that such an entry is worthy of a “up to $ 250,000” reward ( image in the middle above). Seen from the perspective of a researcher, this would mean an 80% decrease in reward rewards in the worst case.

via BleepingComputer