Microsoft is increasing payouts for its Copilot bug bounty program
Microsoft has announced an expansion of its Copilot bug bounty program, boosting payouts and adding coverage of WhatsApp and Telegram tools.
The move comes after a set of flaws spotted by researchers in August would have allowed hackers to “confuse” Copilot into leaking confidential data, while a separate flaw spotted by Tenable could have allowed attackers to meddle with Copilot Studio to access data.
Such vulnerabilities in Copilot were spotted by researchers and addressed by Microsoft, rather than first found by hackers and put to use against customers — and that’s exactly the way Microsoft would like it to work.
“We believe that collaboration with the security research community is essential to maintaining the integrity and security of our Copilot consumer products,” wrote Lynn Miyashita and Madeline Eckert from the Microsoft bounty team in a blog post earlier this month.
Copilot bug bounty scheme eyes wider scope
Microsoft first unveiled a bug bounty program for Copilot in October 2023 for AI in Bing, later expanding it to include the wider suite of Copilot products and more recently to cover a wider range of flaws.
Now, the company is increasing the bounty award payments and the scope of the program, as well as more closely aligning the Copilot severity ratings with its existing online vulnerability classification system.
To start, the payouts of up to $5,000 will now extend to moderate vulnerabilities, which didn’t earn a bounty previously; low severity flaws remain unpaid.
“We recognize that even moderate vulnerabilities can have significant implications for the security and reliability of our Copilot consumer products,” the blog post added.
“To address this, we are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000.”
Bounty awards now vary between $250 to $5,000 for moderate flaws, $1,000 to $20,000 for important flaws, and up to $30,000 for the most serious critical vulnerabilities. Microsoft notes that higher awards are possible.
Beyond the bounties, Microsoft is expanding the reach of Copilot for Telegram and Copilot for WhatsApp, as well as web access via copilot.microsoft.com and copilot.ai.
“This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms,” the blog post added.
Vulnerability classification
While the expanded bounties may catch the attention of researchers, Microsoft said the biggest change was the integration of the Microsoft Vulnerability Severity Classification for Online Services, otherwise known as the Online Services bug bar, following previous work with the AI version of that system.
As part of the move, Microsoft aims to create a more consistent severity framework for vulnerabilities spotted in Copilot.
“By aligning with the Online Services Bug Bar, we ensure that all reported vulnerabilities are assessed with the same rigor and standards applied across Microsoft’s online services,” the company said.
“This not only streamlines the evaluation process but also enhances the transparency and fairness of our bounty rewards.”
MORE FROM ITPRO
Source link
