Bug bounty programs have quietly become critical infrastructure. HackerOne's 2024 Hacker-Powered Security Report tallied $81 million in payouts across 1.4 million reports, and Bugcrowd announced it brokered a $1.7 million bounty in Q4 2024 — the largest single payout on record, for a cloud authentication bypass. Yet throughout 2024, researchers such as Simon Willison and Kevin Beaumont publicly criticized programs that deprioritized AI findings, weaponized NDAs, or threatened litigation under the Computer Fraud and Abuse Act. The first six weeks of 2025 delivered a chain reaction of reforms: Microsoft restructured its AI bounty tiers, the EU Cyber Resilience Act's good-faith-researcher clause took effect, and the U.S. Department of Justice refreshed its CFAA charging policy. For AppSec teams, the practical question is whether your program keeps up.
What did Microsoft change about AI bounties?
On January 21, 2025, Microsoft Security Response Center raised the maximum Copilot bounty from $30,000 to $60,000 and added a new "prompt injection leading to data exfiltration" category at $15,000. The change followed 2024 research by Johann Rehberger demonstrating that Copilot for Microsoft 365 could be coerced, via poisoned emails, to exfiltrate tenant data — a class of issue MSRC had previously rejected as out-of-scope. MSRC also clarified that model weight theft and training-data extraction now qualify when demonstrated against production endpoints. Google followed on January 29, 2025, expanding its Vulnerability Reward Program to cover generative AI products at up to $30,000 for "rogue action" bugs.
How does the EU Cyber Resilience Act protect researchers?
Article 11 of the Cyber Resilience Act, which entered into force December 10, 2024 with mandatory vulnerability-handling provisions effective September 11, 2026, establishes an EU-wide safe harbor for good-faith security research. Manufacturers of products with digital elements must publish a coordinated vulnerability disclosure (CVD) policy, maintain an SBOM, and report actively exploited vulnerabilities to ENISA within 24 hours. Crucially, the Recital 49 language blocks manufacturers from using contractual terms to override research protections. A researcher reporting a flaw through a published CVD process cannot be sued under the EU Trade Secrets Directive, regardless of what an EULA says.
Did the DOJ actually change CFAA enforcement?
Yes, incrementally. On January 9, 2025, the DOJ updated its Justice Manual §9-48.000 to reaffirm the May 2022 policy that good-faith security research is not a prosecutable offense, and added explicit language covering AI red-teaming and automated scraping for vulnerability research. The update cites the Supreme Court's 2021 Van Buren v. United States decision as controlling. Researchers still face state computer-crime statutes and civil liability, but federal criminal risk for scoped, good-faith testing is now the lowest it has been since CFAA's 1986 enactment.
What about researcher liability for AI jailbreaks?
Gray, but improving. The OpenAI bug bounty program updated its scope on February 2, 2025, to explicitly cover prompt injection in API-integrated agents but continues to exclude "standalone model jailbreaks" — i.e., defeating content filters without downstream security impact. Anthropic's program, relaunched through HackerOne in August 2024 at up to $25,000, takes a similar stance. Researchers who publish model-level jailbreaks without program coordination remain exposed to Terms of Service claims. The practical guidance: chain a jailbreak to a real impact (data exfil, privilege escalation, financial action) before reporting.
How should enterprises rewrite their VDP in 2025?
Three minimum updates. Align scope language with security.txt (RFC 9116) so researchers find your contact trivially:
# /.well-known/security.txt
Contact: mailto:security@example.com
Expires: 2026-01-01T00:00:00.000Z
Policy: https://example.com/vdp
Acknowledgments: https://example.com/hall-of-fame
Preferred-Languages: en
Canonical: https://example.com/.well-known/security.txt
Second, replace blanket "no reverse engineering" clauses with a good-faith harbor that mirrors the DOJ policy verbatim. Third, publish triage SLAs. GitHub's 2024 transparency report showed median time-to-first-response of 4 hours and median time-to-bounty of 27 days — those numbers are now the floor, not the ceiling, that serious researchers benchmark against.
Are programs paying more, or just promising more?
They are paying more, but unevenly. HackerOne's January 2025 data showed median critical-severity payouts up 18% year-over-year, led by cloud providers (AWS median $15,000, up from $10,000) and crypto exchanges (Kraken's paid $1.2 million on a single finding in Q4 2024). Meanwhile, SaaS B2B programs remained flat near $4,500 median critical. The divergence reflects where real risk concentrates — infrastructure providers and AI platforms — and suggests mid-market SaaS should expect reputational pressure from researchers as the year progresses.
How Safeguard Helps
Safeguard turns inbound bug bounty reports into actionable, tracked findings by mapping reporter-supplied proof-of-concept to your SBOM and codebase. Griffin AI performs reachability analysis on the affected component to confirm whether the reported path is genuinely exploitable in production, reducing duplicate payouts and researcher friction. TPRM workflows surface when an upstream dependency named in a public disclosure is present in your products, so you can proactively open a VDP ticket before a researcher does. Policy gates enforce that any merge referencing a reported CVE ID carries an attached fix or VEX justification, and Safeguard's audit log produces the paper trail regulators now expect under CRA Article 14.