**Microsoft Expands Bug Bounty Scheme to Include Third-Party Software**

In a significant move, Microsoft has announced that it will expand its bug bounty scheme to reward individuals for finding high-risk security vulnerabilities that could impact the security of Microsoft's online services. The company is extending its existing reward programme to cover vulnerabilities in software that could affect services provided by Microsoft, regardless of whether they are owned and managed by the company.

Microsoft has a proven track record when it comes to rewarding bug hunters. In the past year alone, the company awarded over $17 million to security researchers through its bug bounty programmes and live hacking events. And with this new expansion, Microsoft is set to offer even more in 2026. The programme, dubbed "in scope by default," will cover serious vulnerabilities that affect Microsoft cloud services, including third-party and open source code.

Under the new scheme, bounties will be offered for vulnerabilities in cases where there is no existing bug bounty programme available, as long as they have an impact on Microsoft's online products. And if a vulnerability is found in open source or third-party software, Microsoft claims it "would do whatever it takes" to ensure that bugs are fixed - whether by writing patches or offering support to help the code owner address the issue.

Tom Gallagher, Vice-President for Microsoft Security Response Centre, explained that the company's approach will take a "holistic view," reflecting the ways that hostile hackers find to attack systems. This often involves finding vulnerabilities between different software products. By extending its bounty programme to include third-party and open source code, Microsoft aims to ensure there are stronger protections against vulnerabilities in supply chains that can be used by attackers to "pivot" into high-value targets.

Gallagher emphasized that the company is not just using bug reports for the sake of fixing bugs. Rather, it will serve as a red flag to identify areas where Microsoft may need to devote additional security resources. This approach acknowledges that vulnerabilities in supply chains can have a significant impact on overall system security.

**A Holistic Approach to Bug Bounty**

Until now, Microsoft has focused its vulnerability research on product-focused bug bounty programmes. However, the company recognizes that this narrow approach can be limited in its effectiveness. By expanding its programme to include third-party and open source code, Microsoft is taking a more holistic view of security vulnerabilities.

Gallagher stated that this new approach will ensure there are stronger protections against vulnerabilities in supply chains that can be used by attackers to "pivot" into high-value targets. This shift in strategy reflects the changing nature of cyber threats, which often involve finding vulnerabilities between different software products.

**A Commitment to Transparency**

Microsoft has faced criticism from security researchers for "unacceptable delays" in fixing serious vulnerabilities in its Azure cloud platform and for botching one security patch that was later exploited by Chinese spies. However, the company claims it has become more transparent about security over the past 12 months.

Gallagher highlighted that Microsoft is now posting CVE reports about software vulnerabilities discovered in its cloud services, which were previously not publicly disclosed as they were automatically patched by the company. He emphasized that this approach demonstrates a commitment to transparency and accountability.

**Artificial Intelligence and Bug Bounty**

Microsoft is also exploring the use of artificial intelligence (AI) to automate the finding of vulnerabilities. While still in its early stages, Gallagher believes that AI has the potential to revolutionize bug bounty programmes by allowing for the rapid identification of vulnerabilities at a scale that humans cannot match.

"It's looking very fruitful," said Gallagher. "For a company like us, it's super valuable because we can find a bunch of issues very quickly." He added that AI can also be used to fix issues and mitigate vulnerabilities, taking bug bounty programmes to the next level.

**A Future Focus on Large Language Model AI Systems**

As the security landscape continues to evolve, Gallagher emphasized that Microsoft will focus on probing the security of large language model AI systems. Unlike traditional security vulnerability research, this will not necessarily require individuals with strong technical skills.

"If you are a good con man or social engineer, or you're just savvy with how to talk to someone, you don't need to have that technical expertise," said Gallagher. He emphasized that Microsoft runs programmes to encourage security researchers to develop the skills of young people interested in security vulnerability research.