Microsoft now pays safety researchers for locating vital vulnerabilities in any of its on-line providers, no matter whether or not the code was written by Microsoft or a 3rd occasion.
This coverage shift was introduced at Black Hat Europe on Wednesday by Tom Gallagher, vp of engineering at Microsoft Safety Response Middle.
As Gallagher defined, attackers do not distinguish between Microsoft code and third-party parts when exploiting vulnerabilities, prompting the corporate to broaden its bug bounty program to cowl all Microsoft on-line providers by default, with all new providers in scope as quickly as they’re launched.
This system now additionally consists of safety flaws in third-party dependencies, together with business or open-source parts, in the event that they affect Microsoft on-line providers.
“Beginning in the present day, if a vital vulnerability has a direct and demonstrable affect to our on-line providers, it’s eligible for a bounty award. No matter whether or not the code is owned and managed by Microsoft, a third-party, or is open supply, we’ll do no matter it takes to remediate the problem,” Gallagher mentioned.
“Our objective is to incentivize analysis on the best danger areas, particularly the areas that menace actors are most definitely to use. The place no bounty applications exists, we’ll acknowledge and award the varied insights of the safety analysis group wherever their experience takes them.”
Microsoft has paid over $17 million in bounty awards to 344 safety researchers during the last 12 months, and one other $16.6 million to 343 safety researchers in the course of the earlier 12 months.
Right now’s announcement is a part of Microsoft’s broader Safe Future Initiative, designed to prioritize safety throughout the entire firm’s operations.
As a part of the identical initiative, Microsoft additionally disabled all ActiveX controls in Home windows variations of Microsoft 365 and Workplace 2024 apps, and has up to date Microsoft 365 safety defaults to dam entry to SharePoint, OneDrive, and Workplace information by way of legacy authentication protocols.
Extra not too long ago, it started rolling out a brand new Groups characteristic to block display seize makes an attempt throughout conferences and introduced plans to safe Entra ID sign-ins from script injection assaults.
Damaged IAM is not simply an IT downside – the affect ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM seems like, and a easy guidelines for constructing a scalable technique.
