Microsoft Defender Bounty Program: Rewards up to ,000 USD

Microsoft has launched the Defender Bounty Program, which aims to improve the security of its customers’ experience by incentivizing researchers with rewards of up to USD 20,000.

Through this program, Microsoft encourages researchers to identify security vulnerabilities in its Defender suite of products, which includes anti-virus, endpoint protection, and cloud security services.


By working collaboratively with the security research community, Microsoft aims to identify and address potential security issues before they can be exploited by malicious actors.

Researchers from worldwide are invited to participate in the Microsoft Defender Bounty Program to find vulnerabilities in Defender services and products.

Over time, the Defender program will grow to include additional products under the Defender brand. Initially, it will only focus on Microsoft Defender for Endpoint APIs. Submissions that meet the requirements can earn bounty payments ranging from $500 to USD 20,000.

The main aim of this program is to uncover the significant vulnerabilities by using some criteria for bounty awards:

  • Identify a vulnerability in listed in-scope Defender products that was not previously reported to, or otherwise known by, Microsoft. 
  • Such vulnerability must be of critical or important severity and reproducible on the latest, fully patched version of the product or service. 
  • Include clear, concise, and reproducible steps in writing or video format. 
  • Provide our engineers with the information necessary to quickly reproduce, understand, and fix the issue.   

To evaluate researchers’ submissions more swiftly, Microsoft asks that they include the following information: 

  • Submit through the MSRC Researcher Portal. 
  • Indicate in the vulnerability submission which high-impact scenario (if any) your report qualifies for. 
  • Describe the attack vector for the vulnerability. 
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway


Listed by severity range
Listed by severity range

Rules of Participation

  • Any  Denial of Service testing.  
  • Testing services that produce large volumes of traffic automatically. 
  • Attempting to deceive others, including our staff, using phishing or other social engineering techniques. This program’s scope is restricted to technical flaws in the designated Microsoft Online Services.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.