Microsoft has been for years against the idea of paying those that report security flaws to them. There are a number of (security) vendors who will offer a bounty to those who find security bugs in Microsoft products and help to get Microsoft to acknowledge the problem in exchange for the publicity it yields them months to years later when Microsoft acknowledges the bug publicly.
So it's for sure an about face for Microsoft but nothing novel.
Also the scope it quite limited.
Also notice they pay "up to" an amount - not the amount. And knowing how hard it is to get them to acknowledge their products are less than perfect, this is not going to be a reliable income, no matter how skilled you are at it.