Microsoft Corp. has announced a major update to its bug bounty program, extending coverage to include any vulnerability affecting its online services. This new framework, referred to as “In Scope By Default,” is an important shift in how the tech giant approaches coordinated vulnerability disclosure.Under this updated model, every Microsoft online service is automatically eligible for bounty awards from the moment it launches. Previously, the company relied on product-specific scope definitions, which often caused confusion for security researchers and limited the range of vulnerabilities eligible for rewards. By making all services In Scope By Default, Microsoft aims to make participation in the bug bounty program more predictable while ensuring critical vulnerabilities are addressed and incentivized regardless of their origin.A key feature of the expanded scope is its coverage of third-party and open-source components integrated into Microsoft services. This means that vulnerabilities in external libraries, dependencies, or open-source packages that power Microsoft’s cloud infrastructure are now eligible for bug bounty rewards, not just flaws in Microsoft’s own software.
A Strategic Shift in Bug Bounty Security Incentives
Tom Gallagher, vice president of engineering at the Microsoft Security Response Center (MSRC), highlighted the significance of the change in a December 11, 2025, blog post. He described it as more than an administrative adjustment, calling it a structural realignment designed to reflect real-world risk. Gallagher explained that by defaulting all services into scope, Microsoft hopes to reduce reporting delays, minimize confusion, and allow researchers to focus on vulnerabilities with meaningful impact on customers.“If Microsoft’s online services are impacted by vulnerabilities in third-party code, including open source, we want to know,” Gallagher stated. “If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”The new policy also allows Microsoft to collaborate more effectively with researchers on upstream or third-party vulnerabilities. The company can now assist with developing fixes or support maintainers when issues in external codebases directly affect Microsoft services.
Industry Reaction and Expected Impact
All new Microsoft online services now fall under bug bounty coverage from day one, while millions of existing endpoints no longer require manual approval to qualify. The update is designed to make it easier for security professionals to identify and report vulnerabilities across Microsoft’s expansive ecosystem.The new approach aligns with Microsoft’s broader security philosophy in an AI- and cloud-first environment, where attackers exploit any weak link, regardless of ownership. According to Gallagher, “Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.”Last year, Microsoft’s bug bounty program and its Zero Day Quest live-hacking event awarded over $17 million to researchers for high-impact discoveries. With the In Scope By Default initiative, the company expects to expand eligibility even further, particularly in areas involving Microsoft-owned domains, cloud services, and third-party or open-source code.Researchers participating in the program are expected to follow Microsoft’s Rules of Engagement for Responsible Security Research, ensuring customer privacy and data protection while enabling coordinated vulnerability disclosure. By widening its bug bounty scope, Microsoft aims to raise the overall security bar.
American officials joined Russia, Saudi Arabia and Iran in objecting to language on fossils fuels, biodiversity and plastics in a report that was three years in the making.
The ARC Data Sale to U.S. government agencies has come under intense scrutiny following reports of warrantless access to Americans’ travel records.
After growing pressure from lawmakers, the Airlines Reporting Corporation (ARC), a data broker collectively owned by major U.S. airlines, has announced it will shut down its Travel Intelligence Program (TIP), a system that allowed federal agencies to search through hundreds of millions of passenger travel records without judicial oversight.
Lawmakers Question ARC Data Sale and Warrantless Access
Concerns over the ARC Data Sale intensified this week after a bipartisan group of lawmakers sent letters to nine airline CEOs urging them to stop the practice immediately. The letter cited reports that government agencies, including the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC), and the FBI had been accessing ARC’s travel database without obtaining warrants or court orders.
According to the lawmakers, ARC sold access to a system containing approximately 722 million ticket transactions covering 39 months of past and future travel data. This includes bookings made through more than 10,000 U.S.-based travel agencies, popular online travel portals like Expedia, Kayak, and Priceline, and even credit-card reward program bookings. Travel details in this database include a passenger’s name, itinerary, flight numbers, fare details, ticket numbers, and sometimes credit card digits used during the purchase.
Documents released through public records requests show that the FBI received travel records from ARC based solely on written requests, bypassing the need for subpoenas. DHS described the database as “an unparalleled intelligence resource.”
IRS Admits Policy Violations in Handling Travel Data
A central point of concern is the revelation that the IRS accessed ARC’s travel database without conducting a legal review or completing a required Privacy Impact Assessment. Under the E-Government Act of 2002, federal agencies must complete such assessments before procuring systems that collect personal data.
In a disclosure to Senator Ron Wyden, the IRS admitted it had purchased ARC’s airline data without meeting these requirements. The agency only completed the privacy assessment after receiving an oversight inquiry in 2025.
It also confirmed that it had not initially reviewed whether accessing the travel data constituted a search that required a warrant, despite previous commitments to do so after a 2021 investigation into cell-phone location data purchases.
Prospective Surveillance Raises New Privacy Concerns
Beyond historical travel data, lawmakers highlighted that ARC’s tools enabled what they termed “prospective surveillance.” Through automated, recurring searches, government agencies could receive alerts the moment a ticket matching specific criteria was booked. This type of forward-looking monitoring typically requires a higher legal threshold and is allowed only in limited circumstances authorized by Congress.
Lawmakers argued that buying such capabilities from a data broker like ARC allowed agencies to circumvent the Fourth Amendment, undermining Americans’ constitutional protection against unreasonable searches. Because ARC only captures bookings made through travel agencies, individuals booking directly with airlines do not have their travel data in the system, effectively creating inconsistent privacy protections based solely on how a ticket is purchased.
ARC Confirms End of Travel Intelligence Program
In a letter sent on Tuesday, ARC CEO Lauri Reishus informed lawmakers that the company would end the Travel Intelligence Program in the coming weeks. The decision follows public and political pressure since September, when media reports first revealed the extent of ARC’s data-sharing arrangements with government agencies.
Lawmakers noted that airlines benefit financially when passengers book tickets directly, raising concerns that the surveillance program not only threatened privacy rights but also created potential antitrust implications.
As lawmakers push for stronger privacy protections and clearer limits on government surveillance, the ARC data sale case has become a high-profile example of how easily personal travel data can be accessed and shared without passengers’ knowledge.
A Senate Republican has drafted legislation that would effectively cut a $42 billion broadband deployment program in half.
The bill would complement the Trump administration overhaul of the $42.45 billion Broadband Equity, Access, and Deployment (BEAD) program. The administration required states to rewrite their grant plans, reducing the overall projected spending and diverting some of the money from fiber projects to satellite.
The result is that over $21 billion is projected to be left over after money is allocated to projects that expand broadband access. Current US law allows nondeployment funds to be used for other broadband-related purposes, like providing Wi-Fi and Internet-capable devices to US residents. But a draft bill by Sen. Joni Ernst (R-Iowa) would change the law to redirect all the remaining money to the US Treasury for deficit reduction.
Blue Origin, owned by Jeff Bezos, and Lockheed Martin are among the contractors that may compete with Elon Musk’s company in the race back to the lunar surface.
Login
