Isn't this the same kind of thing where if some tiny little guy reported it he might get sued? Or is Microsoft a small exception where they actually look forward to people reporting these things so they can fix them?

Microsoft Bounty Programs

Calling all Microsoft friends, hackers, and researchers! Do you want to help us protect customers, making some of our most popular products better… and earn money doing so? Step right up!

Microsoft offers direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.

Microsoft has championed many initiatives to advance security and to help protect our customers, including the Security Development Lifecycle (SDL) process and Coordinated Vulnerability Disclosure (CVD). We formed industry collaboration programs such as the Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR), and created the BlueHat Prize to encourage research into defensive technologies.

Since June 2013, we’ve also offered bounties for certain classes of vulnerabilities reported to us. These bounty programs help Microsoft harness the collective intelligence and capabilities of security researchers to help protect customers. As you’ll see from the list below, several time-limited programs apply only to preview versions, so we can address the vulnerabilities before the final version is complete.

Take a look at the active programs below and review the program details at each link. If you have a vulnerability that might be a match for one of our bounty programs, please contact us at [email protected] with details.

Happy Hunting!

Microsoft Security Response Center

Active Bounty Programs

Program Name

Start Date

Ending Date

Eligible Entries

Bounty range

Microsoft .NET Core and ASP.NET Core Bug Bounty Program Terms
September 1, 2016 Ongoing Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details) Up to $15,000 USD

Microsoft Edge RCE on Windows Insider Preview Bug Bounty
August 4, 2016 May 15, 2017 Critical RCE in Microsoft Edge in the Windows Insider Preview. TIME LIMITED. Up to $15,000 USD

Online Services Bug Bounty (O365)
September 23, 2014 Ongoing Vulnerability reports on applicable O365 services (see link for program details). Up to $15,000 USD

Online Services Bug Bounty (Azure)
April 22, 2015 Ongoing Vulnerability reports on eligible Azure services (see link for program details). Up to $15,000 USD

Mitigation Bypass Bounty
June 26, 2013 Ongoing Novel exploitation techniques against protections built into the latest version of the Windows operating system. Up to $100,000 USD

Bounty for Defense
June 26, 2013 Ongoing Defensive ideas that accompany a qualifying Mitigation Bypass submission Up to $100,000 (in addition to any applicable Mitigation Bypass Bounty).

Microsoft Bounty Program Navigation Bar

Overview of all Microsoft Bounty Programs

FAQ

Online Service (Office 365 and Azure)

Mitigation Bypass and Bounty for Defense

.NET Core and ASP.NET Core

Microsoft Edge RCE on Windows Insider Preview

.NET Core and ASP.NET Core RC2

Nano Server Beta Bounty

Edge Beta Bounty 2015

CoreCLR and ASP.NET 5 Beta Bounty

Related Content

How to report online services security vulnerabilities

About MSRC

MSRC Blog

• October 2016 security update release
  
  Tuesday, Oct 11
  
  Update to the Microsoft Edge Web Platform on Windows Insider Preview Bug Bounty Program terms
  
  Wednesday, Sep 28
  
  September 2016 security update release
  
  Tuesday, Sep 13

SRD Blog

• Security Engineering Evolution in Office 2016 for Mac
  
  Wednesday, Sep 28
  
  Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available
  
  Tuesday, Feb 2
  
  Triaging the exploitability of IE/EDGE crashes
  
  Tuesday, Jan 12

Acknowledgement Pages

Online Services Acknowledgments

Bounty Hunters: The Honor Roll

Microsoft bounty for finding vulnerabilities

Good, it's one of those moments I'd post that tiny little clip of Louis CK saying "It's the cool crowd" and pointing his fingers. Good to see Microsoft allows bounties.