Outlook bug bounty payout increases to $400,000, but only for a limited time

By Sean Endicott
published

You could make up to $400,000 for discovering a zero-click exploit in Microsoft Outlook.

Outlook vs Windows Mail
Outlook vs Windows Mail (Image credit: Windows Central)

What you need to know

  • Exploit acquisition platform Zerodium has temporarily increased its bounty for Microsoft Outlook zero-click remote code executions from $250,000 to $400,000.
  • These types of exploits can attack a target without requiring interaction such as reading an email or opening an attachment.
  • Zerodium's customers are government institutions that are primarily in North America and Europe.

Zerodium, an exploit acquisition platform, has increased its payout for Microsoft Outlook zero-click remote code executions (RCEs) from $250,000 to $400,000. The increase is a temporary measure to obtain zero-click exploits that can attack PCs and networks without requiring user interaction. Zerodium outlines the change on its limited-time bug bounties page.

Some attacks, such as phishing scams, require people to interact with an attack like opening an email or email attachment. Zero-click exploits do not require interaction, making them more dangerous.

"We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000," explains Zerodium. "We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment. Exploits relying on opening/reading an email may be acquired for a lower reward."

Zerodium specializes in zero-day exploits and security research. Its customers are government institutions that are primarily in North America and Europe.

The increased payout for Microsoft Outlook zero-click RCEs began on January 27, 2022, but does not have a definitive end date.

Microsoft also has a list of bounty payouts (opens in new tab) ranging up to $250,000. Microsoft paid $13.6 million for bug bounties between July 2020 and July 2021.

You can compare Microsoft's bug bounty payouts (opens in new tab) to those of Zerodium to see how the companies compare. The value of bounties varies dramatically based on the severity of the discovered vulnerability.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

2 Comments
  • Criminals would pay ten times the amount for the same thing.. 😅 why do people think they exist?
  • This is a criminal enterprise! Why else would they be offering a $400K bounty? Because they know that they can get that back 100-fold once they've unleashed a zero-day bug that hasn't been patched yet. I can only hope that MSFT catches them and shuts them down for good.