Microsoft's bug bounty program is a shell of its former self. They quietly disqualified a lot of high-impact findings in 2023.

In my own experience:

- Leaked service principal credentials granting access to their tenant? $0 bounty.

- Leaked employee credentials granting access to generate privileged tokens? $0 bounty.

- Access to private source code? $0 bounty.

Etc.

My own , small, experience with MSRC is indeed their bug bounty program is not good, they take any possible opportunity to avoid payouts.

this means that a lot of genuine bug bounty hunters just won't look at MS stuff and MS avoid getting things fixed, instead other attackers will be the ones finding things, and they likely won't report it to MS...