Microsoft has expanded its Copilot bug bounty program to include more consumer products, offering increased incentives for researchers. As part of the expansion, the company has raised the rewards for moderate-severity vulnerabilities, with researchers now able to earn up to $5,000 for such flaws. The program continues to provide up to $30,000 for critical-severity vulnerabilities in Copilot AI products and services, encouraging security professionals to find and report potential risks.
In addition to the increased rewards, Microsoft has broadened the scope of eligible Copilot products, now including Copilot for Telegram, Copilot for WhatsApp, and other Copilot platforms. Researchers can earn bounties for identifying various vulnerabilities, such as inference manipulation, code injection, and improper access control, among others. This change aims to strengthen the security of the Copilot ecosystem by giving researchers more opportunities to contribute.
The program also aligns with Microsoft’s Online Services Bug Bar, which helps standardize how vulnerabilities are evaluated across the company’s platforms. By doing this, Microsoft ensures that all flaws in Copilot products are assessed consistently, enhancing the fairness and transparency of the bounty process. This alignment also streamlines the evaluation process for researchers submitting reports.
Microsoft is actively encouraging security researchers, developers, and enthusiasts to participate in the expanded program. By offering more comprehensive incentives and increasing the number of eligible products, the company aims to fortify its Copilot ecosystem against potential threats. More information and program rules are available on the Copilot bounty program’s page.
