Microsoft today announced the Windows Bounty Program. Rewards start at a minimum of $500 and can go up to as high as $250,000.
To be clear, Microsoft already offers many bug bounty programs. This is also not the first to target Windows features — the company has launched many Windows-specific bounties for those starting in 2012. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company’s program for testing Windows 10 preview builds. Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.
Here are the program’s rules (check out Microsoft’s bug bounty FAQ for more):
- Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty
- The bounty program is sustained and will continue indefinitely at Microsoft’s discretion
- Bounty payouts will range from $500 USD to $250,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10 percent of the highest amount they could’ve received
- All security bugs are important to us and we request you report all security bugs to firstname.lastname@example.org via Coordinated Vulnerability Disclosure (CVD) policy
If you’re interested in the maximum quarter-million bounty, your only option is Hyper-V program, although you have multiple operating systems to choose from: Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server Insider Preview. Also of note is the Mitigation Bypass and Bounty program‘s highest reward of $200,000, but there you can solely target Windows 10.
The Windows Defender Application Guard program only goes up to $30,000 while the other two, Microsoft Edge and Windows Insider Preview, max out at $15,000. These three require using the Windows Insider slow ring.
Facebook, Google, and Microsoft offer multiple bug bounty programs, but smaller companies also increasingly have at least one: Avoiding the next security fiasco is priceless. It’s always better to find and fix a bug before it becomes a problem, especially when it comes to security. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.