{"id":6201,"date":"2025-12-13T01:47:47","date_gmt":"2025-12-13T01:47:47","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6201"},"modified":"2025-12-13T01:47:47","modified_gmt":"2025-12-13T01:47:47","slug":"microsoft-flips-security-script-in-scope-by-default-makes-all-vulnerabilities-fair-game-for-bug-bounties","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6201","title":{"rendered":"Microsoft flips security script: \u2018In scope by default\u2019 makes all vulnerabilities fair game for bug bounties"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Today\u2019s AI-enabled attackers are agnostic: They\u2019re not limiting themselves to specific companies, products, or services \u2014 they\u2019re going where the vulnerabilities are. To meet them on this ground, Microsoft is pivoting its cybersecurity strategy to what it calls \u2018In Scope by Default.\u2019<\/p>\n

Now, any \u201ccritical vulnerability\u201d with a \u201cdemonstrable impact\u201d on Microsoft\u2019s online services is eligible for a bounty award. This applies to code owned and managed by Microsoft, as well as to anything delivered by a third party or via open-source.<\/p>\n

Threat actors \u201cdon\u2019t care who owns the code they try to exploit,\u201d Tom Gallagher, VP of engineering at the Microsoft Security Response Center, wrote in a blog post<\/a> announcing the new security policy. \u201cThe same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers.\u201d<\/p>\n

Goal to \u2018incentivize research\u2019<\/h2>\n

\u2018In Scope by Default\u2019 was announced at Black Hat Europe on Friday, with Gallagher saying that Microsoft \u201cwill do whatever it takes\u201d to remediate surfaced issues.<\/p>\n

This strategic shift comes as attackers continuously up their game, aided by AI tools. Microsoft was recently impacted by a zero-day vulnerability in SharePoint<\/a> that trickled down to businesses and government agencies alike, and in October, the company\u2019s own security update triggered a range of failures<\/a>. And just today, to plug the gap until Microsoft can develop its own fix, free unofficial patches<\/a> were made available by a third party for a newly-discovered Windows zero-day vulnerability that gives attackers the ability to crash the Remote Access Connection Manager (RasMan) service.<\/p>\n

Microsoft has employed a range of tactics to combat these threats. Gallagher pointed out that, in 2024, the company awarded more than $17 million through its bug bounty program and live hacking events, and its strategy pivot will expand award eligibility. Rather than only being offered for bugs in defined scopes, issues with all online services will be included by default, and as soon as the services are released.<\/p>\n

\u201cOur goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit,\u201d said Gallagher.<\/p>\n

Eligibility will now include:<\/p>\n

Microsoft-owned domains and cloud services. Security researchers without Microsoft insider perspective will be encouraged to target its infrastructures via agreed upon rules of engagement.<\/p>\n

Third-party code, including open source. In cases where no bug bounty exists in this area, Microsoft will now offer one. Identifying vulnerabilities in third-party code can help raise the bar for \u201ceveryone who relies on this code,\u201d Gallagher noted.<\/p>\n

This shift is \u201cquite significant,\u201d particularly for a company of Microsoft\u2019s size, noted Erik Avakian<\/a>, technical counselor at Info-Tech Research Group. The new default inclusion policy is backed by process and governance, and is being applied across the tech giant\u2019s \u201cmassive, heterogeneous ecosystem.\u201d<\/p>\n

\u201cMicrosoft is explicitly pulling third-party and open-source dependencies into scope when they impact Microsoft services, which reflects how real attacks actually traverse shared infrastructure rather than clean product boundaries,\u201d said Avakian.<\/p>\n

Researchers are welcome to submit their findings<\/a> for assessment and for coordinated disclosure, the practice of privately reporting vulnerabilities to vendors so that they can diagnose and fix issues before they are announced publicly.<\/p>\n

Microsoft and its partners follow the Rules of Engagement for Responsible Security Research<\/a>, Gallagher noted, which encourages a variety of red teaming activities, such as performing vulnerability assessments on Azure virtual machines (VMs), testing surge capacity, attempting to break out of system boundaries and shared service containers, testing security monitoring and detection systems, and evaluating conditional access.<\/p>\n

However, these rules of engagement prohibit red teamers from using or accessing credentials that aren\u2019t their own, launching phishing attacks against Microsoft employees, performing denial-of-service testing or other testing that generates excessive traffic, or interacting with storage accounts not included in a user\u2019s own subscription.<\/p>\n

Pros and cons to the approach<\/h2>\n

This widening of scope isn\u2019t necessarily new, noted Info-Tech\u2019s Avakian, though cloud service providers (CSPs), financial institutions, and SaaS companies publish narrower scope language and handle many cases through back-channel negotiation. But much of this still relies heavily on researcher goodwill and internal judgment calls.<\/p>\n

Microsoft\u2019s wider scope is a bit different, and could result in fewer gray-area arguments and the \u201cis this in scope?\u201d back-and-forth questioning that can expend time and create friction with researchers, said Avakian. It also provides better signaling: If people don\u2019t fear disqualification, they\u2019re more likely to submit early-stage findings. This is great for defenders and can foster stronger trust in the research community.<\/p>\n

\u201cIt helps send a clear message: \u2018We want to hear about problems,\u2019 and internally, it forces ownership,\u201d said Avakian. \u201cOnce something\u2019s in scope by default, it helps to force maturity.\u201d<\/p>\n

However, this could get difficult when it comes to volume, potentially leading to more low-quality reports and speculative or \u201cnebulous\u201d findings, he said. Engineering teams can burn out quickly if everything is treated as urgent, or if severity isn\u2019t well-communicated.<\/p>\n

\u201cBut this model can work if severity discipline is rock solid,\u201d said Avakian.<\/p>\n

However, attackers could benefit indirectly if defender teams become overloaded, where potential noise could drown out real signals, and fix velocity could slow due to triage backlogs. \u201cIn other words, operational drag could very well become the attacker\u2019s friend,\u201d said Avakian.<\/p>\n

Researchers, for their part, might go down unconventional attack path rabbit holes, and less ethical hackers may spray \u201clow-effort findings\u201d at scale and use ambiguity to pressure for bounty money or even publicly frame rejections as Microsoft ignoring security, he noted.<\/p>\n

Ultimately, \u201cscope is really a governance decision,\u201d said Avakian, pointing out that enterprises fall behind when vulnerability programs are still written primarily to reduce payouts, minimize exposure, and protect brand optics.<\/p>\n

\u201cMicrosoft is signaling that operational clarity beats defensive ambiguity,\u201d said Avakian. However, \u201cin scope by default\u201d only works with maturity behind it.<\/p>\n

\u201cIf you don\u2019t already have strong governance, triage processes, consistent severity models, and engineering accountability, it becomes problematic,\u201d he said. \u201cAutomation, enrichment, and experienced human judgment matter more than ever here, and Microsoft appears to be clearly investing in that long game.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Today\u2019s AI-enabled attackers are agnostic: They\u2019re not limiting themselves to specific companies, products, or services \u2014 they\u2019re going where the vulnerabilities are. To meet them on this ground, Microsoft is pivoting its cybersecurity strategy to what it calls \u2018In Scope by Default.\u2019 Now, any \u201ccritical vulnerability\u201d with a \u201cdemonstrable impact\u201d on Microsoft\u2019s online services is […]<\/p>\n","protected":false},"author":0,"featured_media":6202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6201","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6201"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6201"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6201\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6202"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}