Microsoft has expanded its bug bounty program so that every online service it provides—whether built in-house or powered by third-party and open-source components—will be within scope by default. The policy, named “In Scope By Default,” marks a major shift in how Microsoft handles coordinated vulnerability disclosure, broadening what researchers can report and be rewarded for.
Under the new approach, all Microsoft online services are automatically eligible for bounty awards from launch, removing the old practice of defining scope on a per-product basis. The goal is to make participation straightforward for researchers and to ensure that critical vulnerabilities are rewarded no matter their source.
The expansion covers flaws in third-party libraries, dependencies, or open-source packages that underpin Microsoft’s cloud infrastructure, not just Microsoft-written code. Tom Gallagher, vice president of engineering at the Microsoft Security Response Center, explained in a blog post that this change is more than administrative—it’s a structural realignment of incentives to reflect real-world risk. By defaulting services into scope, Microsoft aims to reduce confusion, speed up reporting and remediation, and allow researchers to concentrate on issues with meaningful customer impact.
The update also increases Microsoft’s ability to collaborate with researchers on upstream or third-party vulnerabilities, including helping to craft fixes or supporting maintainers when those flaws affect Microsoft services.
“If Microsoft’s online services are impacted by vulnerabilities in third-party code, including open source, we want to know,” Gallagher said. “If there was no bounty for this essential work, we will create one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”
As part of the policy, all new online services are covered by bounties from day one, and millions of existing service endpoints no longer require manual listing or approval to qualify.
Initial responses from security professionals have been favorable. Martin Jartelius, AI product director at Outpost24 AB, noted that broadening scope emphasizes the full attack surface of an organization and that attackers don’t care through which component they gain access. He suggested that Microsoft may pay out more bounties temporarily, but the resulting security improvements should be a cost-effective way to strengthen overall security.
This move invites discussion about how bug bounty programs shape security strategy, the practical trade-offs of broader scope, and the balance between reward cost and risk reduction. Do you think this approach will meaningfully improve security across Microsoft services, or could it lead to unintended consequences in payout inflation or scope management? Share your thoughts in the comments.
