Microsoft has paid out more than $128,000 to security researchers since first offering bug bounties just over three months ago.
Several big software companies, including Google, Paypal and Facebook, have established bug bounty programmes, but Microsoft had stopped short of offering similar cash rewards before.
The bulk of the rewards paid so far are for a mitigation bypass technique and 15 exploitable vulnerabilities reported in the preview version of its latest version of Microsoft’s web browser, Internet Explorer (IE11), which is scheduled to ship with Windows 8.1 on 18 October 2013.
More on responsible disclosure
- Google sets seven-day deadline for zero-day disclosure
- Suppliers need to prepare for new security vulnerability handling standards
- Dutch government publishes security flaw disclosure guide
- Microsoft seeks true 'responsible' vulnerability disclosure
- Incident non-disclosure amounts to hiding facts from shareholders
- Is a full vulnerability disclosure strategy a responsible approach?
Microsoft said it would pay up to $11,000 under the IE11 Preview Bug Bounty programme that ran from 26 June to 26 July 2013.
The software firm’s other two bug bounty programmes are ongoing.
Under the Mitigation Bypass Bounty programme, Microsoft will pay up to $100,000 for “truly novel” exploitation techniques against protections built into Windows 8.
And the BlueHat Bonus for Defense programme offers up to $50,000 for defensive ideas that block a mitigation bypass technique.
Announcing the bug bounty programmes, Microsoft said they would provide another way for the company to harness the collective intelligence and capabilities of security researchers.