"Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services. "Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. "Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit.""
"The same class of vulnerability, and its severity, will attract the same monetary award in a third-party codebase as it would if it were found in one of Microsoft's products, he told The Register. "Where no bounty programs exist, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.""
Microsoft is expanding the Microsoft Security Response Center (MSRC) bug bounty program to an "in scope by default" model that rewards researchers for critical vulnerabilities impacting Microsoft's online services, regardless of code ownership. The program will provide equivalent monetary awards for the same vulnerability class and severity whether found in Microsoft-owned products or third-party and open-source codebases. Microsoft will remediate issues irrespective of whether code is owned and managed by Microsoft, a third party, or is open source. The approach covers new products and services at launch and targets high-risk areas such as cloud and AI.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]