Microsoft extends its Bug Bounty Program for Edge indefinitely

By former Senior Editor for North America Neowin ·
View full version

Microsoft first launched a Bug Bounty Program for the Edge browser back in April 2015, when it was still called Project Spartan. The Program ended that June, but the company has started two similar initiatives since then, and today it announced that the Edge on Windows Insider Preview Bounty Program will be changed from "a time bound to a sustained bounty program."

Microsoft says that "security is a continuous effort and not a destination", which is why the Program will now be expanded indefinitely, offering payouts of up to $15,000 for anyone that can find a vulnerability in the Edge browser.

These are the highlights of the program:

  • Any critical remote code execution or important design issue that compromises a customer’s privacy and security will receive a bounty

  • The bounty program is sustained and will continue indefinitely on Microsoft’s discretion

  • Bounty payouts will range from $500 USD to $15,000 USD

  • If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD

  • Vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track)

  • All security bugs are important to us and we request you report all Microsoft Edge browser security bugs to secure@microsoft.com via Coordinated Vulnerability Disclosure (CVD) policy

  • For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.

In order for a bug submission to be eligible, the vulnerability has to be previously unreported by anyone else, and if it"s already known internally, the maximum payout will be $1,500. It must also be reproducible on the current Windows Insider Slow ring build.

Here"s the payout structure:

Vulnerability type Proof of concept Report Quality Payout range (USD)
Remote Code
Execution in
Microsoft Edge on
recent builds of WIP
slow		 Required High Up to $15,000
Required Low Up to $1,500

Violations of W3C
standards that
compromise privacy or
integrity of important user data.

This includes:

  • Violation of SoP,
    i.e. UXSS

  • Referrer spoofs

This does not include:

  • XSS, CSRF: report
    these to the web
    site owner

  • XSS filter bypass

 Required High Up to $6,000
Required Low Up to $1,500


Vulnerabilities from earlier builds than the one in the Slow ring are ineligible, as is anything to do with Internet Explorer or user-generated content. You can learn more about the Bug Bounty Program here.

Report a problem with article
Next Article

Some users are reporting that their Surface Pro suffers from narcolepsy

Previous Article

Google Glass gets its first update since 2014