Microsoft has broadened its bug bounty program to include critical vulnerabilities in any online services it offers, regardless of whether the underlying code comes from Microsoft or third parties. This change, announced by Tom Gallagher at Black Hat Europe, reflects a recognition that attackers exploit vulnerabilities without regard for their origin. Now, any critical vulnerability that directly affects Microsoft’s online services qualifies for a bounty, incentivizing researchers to address high-risk areas. Over the past year, Microsoft has awarded over $17 million to 344 researchers, with an additional $16.6 million to another 343 the previous year. This expansion is part of a larger initiative by Microsoft to enhance security across its operations. Alongside the bounty program, Microsoft has disabled ActiveX controls in its Windows versions of Microsoft 365 and Office 2024. They’ve also updated security defaults in Microsoft 365 to block legacy authentication methods for services like SharePoint and OneDrive. Recent initiatives include a new Teams feature designed to prevent screen capture during meetings and efforts to protect Entra ID sign-ins from script injection attacks. These changes demonstrate a comprehensive approach to security, aiming to tackle both internal and external threats effectively.