Microsoft Now Offers Up to $30,000 for AI Vulnerability Fixes

In a move aimed at bolstering its security efforts and incentivizing the discovery of potential vulnerabilities, Microsoft has announced an increase in bug bounty payouts for certain types of artificial intelligence (AI) issues. The company now offers rewards ranging from $500 to $30,000 for eligible submissions related to Dynamics 365 and Power Platform services and products.

Power Platform is a suite of applications designed to help companies analyze data and automate processes, while Dynamics 365 is a set of business apps that connect customers, products, people, and operations. The company's AI vulnerability bounty program aims to encourage individuals or organizations to identify security vulnerabilities in these targeted services and share them with Microsoft's team.

Eligible AI vulnerability types include inference manipulation, model manipulation, and inferential information disclosure of critical or important severity. These submissions must meet specific criteria, including being reproducible on a product or service listed in the In Scope Services and Products, as defined by Microsoft's Vulnerability Severity Classification for AI Systems.

According to Microsoft, qualified submissions are eligible for bounty rewards that range from $500 to $30,000 USD. However, higher payouts are also possible based on the impact and severity of the reported vulnerabilities and the quality of the submission. For instance, during last year's Ignite annual conference, Microsoft expanded its bug bounty program by launching the Zero Day Quest, a hacking event focused on cloud and AI products and platforms.

As part of this initiative, the company paid out over $1.6 million to researchers who reported more than 600 vulnerabilities during the qualifying research challenge and live event. Additionally, nearly 100 researchers participated in Microsoft's training sessions, which included AI bug hunting with its AI Red Team, SSRF training with its engineering team, and tips and advice from the bounty team.

It's worth noting that this increase in payouts follows earlier announcements by Microsoft regarding increased rewards for moderate severity AI vulnerabilities. Additionally, the company has recently offered a 100% award multiplier for all Copilot bounty awards to incentivize further research into its artificial intelligence capabilities.

A Comparison of Bug Bounty Programs

To put Microsoft's bug bounty program into perspective, let's compare it with other major tech companies:

• OpenAI: Offers $100,000 for critical vulnerabilities in its AI products and platforms.
• Google: Paid out over $12 million in bug bounties to security researchers last year.
• Windows: Recently fixed a machine learning bug that could be used to block future updates.
• Adobe: Warned users about an email security issue after discovering a vulnerability that could flag legitimate emails as spam.

In conclusion, Microsoft's recent increase in bug bounty payouts for AI vulnerabilities reflects the company's commitment to enhancing its security posture and encouraging researchers to identify potential vulnerabilities. As the tech industry continues to evolve, it will be interesting to see how other companies respond to this trend.