Some security researchers pointed out that Microsoft is slashing the number of bug bounties by up to 90%. For example, last year Marcus Hutchins (named MalwareTech) said that the value of his zero-day bug bounty was reduced to $1,000, compared to $10,000 before.
Some other people expressed similar views. For example, a Hyper-V researcher and Twitter user @rthhh17 recently stated that Microsoft’s reward program believes that his Hyper-V remote code execution (RCE) vulnerability is only worth $5,000. Judging from his Twitter, during the research process, he should be able to get a higher amount.
Join RealMi Central on Telegram, Facebook & Twitter
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair! @msftsecresponse
@msftsecurity pic.twitter.com/sJw3cjsliF— rthhh (@rthhh17) November 9, 2021
A recent example is Abdelhamid Naceri, a Windows security researcher, who revealed to BleepingComputer that due to frustration in the bounty, he finally decided to publicly disclose a new zero-day vulnerability. Naceri explained: Since April 2020, Microsoft’s bounties have been cancelled. If MSFT did not decide to reduce these bounties, I would really not do so.