Microsoft first launched a Bug Bounty Program for the Edge browser back in April 2015, when it was still called Project Spartan. The Program ended that June, but the company has started two similar initiatives since then, and today it announced that the Edge on Windows Insider Preview Bounty Program will be changed from "a time bound to a sustained bounty program."
Microsoft says that "security is a continuous effort and not a destination", which is why the Program will now be expanded indefinitely, offering payouts of up to $15,000 for anyone that can find a vulnerability in the Edge browser.
These are the highlights of the program:
Any critical remote code execution or important design issue that compromises a customer’s privacy and security will receive a bounty
The bounty program is sustained and will continue indefinitely on Microsoft’s discretion
Bounty payouts will range from $500 USD to $15,000 USD
If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD
Vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track)
All security bugs are important to us and we request you report all Microsoft Edge browser security bugs to secure@microsoft.com via Coordinated Vulnerability Disclosure (CVD) policy
For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.
In order for a bug submission to be eligible, the vulnerability has to be previously unreported by anyone else, and if it's already known internally, the maximum payout will be $1,500. It must also be reproducible on the current Windows Insider Slow ring build.
Here's the payout structure:
Vulnerability type | Proof of concept | Report Quality | Payout range (USD) |
---|---|---|---|
Remote Code Execution in Microsoft Edge on recent builds of WIP slow |
Required | High | Up to $15,000 |
Required | Low | Up to $1,500 | |
Violations of W3C This includes:
This does not include:
|
Required | High | Up to $6,000 |
Required | Low | Up to $1,500 |
Vulnerabilities from earlier builds than the one in the Slow ring are ineligible, as is anything to do with Internet Explorer or user-generated content. You can learn more about the Bug Bounty Program here.