Its been more than 8 years since I played around with Web Bugs. Seems threat landscape and things has changed significantly. However recently i reported few "low hanging" web related problems to MSFT. Most of the issues were mostly configuration issues, and all of the issues are fixed now however no bounty paid. What i came to know, unlike Facebook VRP, MSRC doesn't pay researcher even if they make any changes as result of your report.
Link to Official Acknowledgements -