For example, remote code execution vulnerabilities can fall into the Tier 0, Tier 1 or Tier 2 payout categories. A Tier 1 report will receive a maximum payout of $11,000 and needs to be accompanied by a proof-of-concept and a functioning exploit, while a Tier 0 report can be rewarded with over $11,000, at Microsoft's discretion, but also requires a white paper and possibly a sandbox escape.
Important or high-severity design-level vulnerabilities, security bugs with privacy implications and sandbox escape vulnerabilities fall into the Tier 2 category and are rewarded with a minimum of $1,100. ASLR information disclosure vulnerabilities fall into the Tier 3 category and are rewarded with a minimum of $500.
Microsoft has paid for defensive techniques before as part of its BlueHat Prize contest and has also contracted researchers to pen-test their products internally. However, this is its first public bug bounty program.
Microsoft has always received vulnerability reports from outside researchers and continues to do so, Reavey said. However, the company also noticed a market shift, where many reports come from researchers through vulnerability brokers that buy vulnerability information through their own programs, he said.
That's great, because those are high quality reports, but there is a market gap that Microsoft's newly announced bounty programs will attempt to fill, Reavey said. "We don't see many brokers that pay for mitigation bypasses because those are top dollar and we also don't see brokers paying for vulnerabilities found before a product is released, while still in the beta period."
The beta testing period is the most optimal time to receive this information because it allows the developer to release a more secure final product and have as many issues as possible addressed before they can impact customers, Reavey said.
As for mitigation bypasses, Microsoft would traditionally receive those after they're found being used in attacks, or once a year or so as the result of contests run at security conferences, he said. "What we want to do is make sure we can get those year-round, as early as possible, so we can protect customers."