Microsoft has announced the launch of its new Windows Bounty Program, two years after Windows 10 was originally released. Like other tech giants, Microsoft has offered bounties for some time, and recently announced the indefinite extension of its Bug Bounty Program for Edge - but this is the first time that the company has established a complete program across its Windows operating system.
Microsoft"s Security Response Center (MSRC) said today that the Windows Bounty Program "will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge."
Key highlights of the program include:
- Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty
- The bounty program is sustained and will continue indefinitely at Microsoft’s discretion
- Bounty payouts will range from $500 USD to $250,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)
- All security bugs are important to us and we request you report all security bugs to secure@microsoft.com via Coordinated Vulnerability Disclosure (CVD) policy
- For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog
Microsoft also highlighted the targets of the Windows Bounty Program, and how much it will pay out for new vulnerabilities discovered in each category:
Category | Targets | Windows version | Payout range (USD) |
Focus area | Windows 10 Windows Server 2012 Windows Server 2012 R2 Windows Server Insider Preview | $5,000 to $250,000 | |
Focus area | Windows 10 | $500 to $200,000 | |
Focus area | WIP slow | $500 to $30,000 | |
Focus area | WIP slow | $500 to $15,000 | |
Base | WIP slow | $500 to $15,000 |
Further details on all of Microsoft"s bounty programs can be found on the MSRC Security TechCenter site.
Source: Microsoft TechNet