Microsoft will expand bug bounties - even on programs without official payouts
Microsoft introduces 'In Scope by Default' bug bounty incentives
· TechRadarNews By Craig Hale published 15 December 2025
(Image credit: Shutterstock)
- Microsoft's 'In Scope by Default' bug bounty program is now open to submissions
- Proprietary, third-party and open source code are all included
- Microsoft paid out more than Google last year ($17 million)
Microsoft has announced an important change to the company's bug bounty program – security researchers will now be eligible to submit critical vulnerability reports across all company products and services, even where no formal bounty was available before.
The new 'In Scope by Default' approach was announced by the company's Security Response Center's Engineering VP, Tom Gallagher, at Black Hat Europe.
Gallagher explained Microsoft paid out $17 million in bounties last year for "high-impact security research" across both Microsoft-owned domains and services, as well as third-party code that impacted Microsoft's online services.
'In Scope by Default'
"If a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award," Gallagher wrote.
He explained how ultimately, Microsoft wants to "incentivize research on the highest risk areas," and this spans across Microsoft, third-party and open-source code.
For areas that aren't currently covered by a bounty program, Microsoft says payouts will be measured by severity, suggesting that the same class of vulnerability will earn the same reward regardless of whether it's found in Microsoft's code or externally.
Microsoft broadening its bug bounty program is big news, putting it miles ahead of Google, which currently focuses on core products like Google Cloud, Android and Chrome.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors