Microsoft has launched the Microsoft Defender Bounty Program, encouraging global researchers to identify vulnerabilities within Defender products and services. The program initially focuses on Defender for Endpoint APIs and offers rewards ranging from $500 to $20,000, based on the impact and quality of the reported flaws. The highest bounties are reserved for critical-severity remote code execution issues, with rewards decreasing for lesser-severity vulnerabilities like elevation of privilege and information disclosure. Researchers must report flaws within the program’s scope, not previously disclosed, and replicable on the latest fully patched product version. The scope covers various vulnerabilities, including XSS, CSRF, SSRF, injection, and security misconfiguration issues. Reports must be clear, concise, and include necessary details to reproduce the problem, submitted through the MSRC Researcher Portal. The program focuses on technical vulnerabilities in Defender-related products and services and encourages halting research if any customer data is encountered, emphasizing safety. Additional information is available on the MSRC portal.

Read more: https://www.securityweek.com/microsoft-offers-up-to-20000-for-vulnerabilities-in-defender-products/