Microsoft is overhauling its bug bounty program to reward exploit hunters for finding vulnerabilities across all its products and services, even those without established bounty schemes.

Tom Gallagher, VP of engineering at Microsoft Security Response Center (MSRC), told Black Hat Europe delegates yesterday that the company will adopt what it calls an "in scope by default" approach.

Under the new model, MSRC will pay researchers who report critical vulnerabilities that have a demonstrable impact on Microsoft's online services.

"Regardless of whether the code is owned and managed by Microsoft, a third party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. "Our goal is to incentivize research on the highest risk areas, especially the areas that thre

See Full Page