Evolving Msft's Approach to Coordinated Security Research: in Scope by Default

Posted22 days ago

icampanini

1 points

1 comments

microsoft.comSecuritystory

informativepositive

Debate

20/100

ResearchMicrosoftNpm Vulnerabilities

Key topics

Research

Microsoft

Npm Vulnerabilities

Discussion Activity

Light discussion

First comment

N/A

Peak period

Start

Avg / period

Key moments

01Story posted
Dec 11, 2025 at 4:26 PM EST
22 days ago
Step 01
02First comment
Dec 11, 2025 at 4:26 PM EST
0s after posting
Step 02
03Peak activity
1 comments in Start
Hottest window of the conversation
Step 03
04Latest activity
Dec 11, 2025 at 4:26 PM EST
22 days ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 1 comments

icampaniniAuthor

22 days ago

Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit. Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.

We call this approach In Scope by Default.

View full discussion on Hacker News

ID: 46237383Type: storyLast synced: 12/11/2025, 9:30:17 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN