Microsoft Announces Windows Bounty Program

Microsoft announced a new Windows Bounty Program that will pay researchers up to $250,000 for finding and disclosing security vulnerabilities.

The bug bounty program will task researchers with focusing on a few key areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, Microsoft Edge, and all features made available via the Windows Insider Program. Payouts depend on where a vulnerability is found and how severe it is. A minor vulnerability in Edge pays $500; a critical vulnerability in Hyper-V can pay up to $250,000. That's quite the range.

But that's what it takes to learn about vulnerabilities as soon as possible. Some people disclose security problems simply because they want to make Windows users safer. Others hunt for vulnerabilities because that's how they want to make a living. Companies like Microsoft have realized they can't just rely on the first group's altruism--they also have to offer financial incentives so they can appeal to the second group's wallets.

That's why everyone from Qualcomm and Netgear to the European Parliament and Fiat Chrysler have recently introduced or expanded bug bounty programs. The Windows Bounty Program is an expansion of Microsoft's other efforts. Here's what the company said in its announcement:

Since 2012, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.

Microsoft also offered a few highlights about the program, prime among them being the fact that "any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty." It might not pay much, but you'll get something. The company also pointed out that the Windows Bounty Program runs at its discretion and can end at any time.

Another thing to note is that Microsoft will pay out even if you report a vulnerability it has already discovered. The company said it will pay "a maximum of 10% of the highest amount" you would've received if the discovery was fresh. Again, that might not add up to much, but it's clear Microsoft is trying to encourage researchers to disclose everything instead of sitting on vulnerabilities because they don't know if they're new.

You can learn more about Microsoft's bug bounties, including the Windows Bounty Program, in the company's Security Tech Center. Vulnerabilities can also be disclosed by emailing secure@microsoft.com. The basics about the Windows Bounty Program's payouts can be found below.

Category
Targets
Windows Version
Payout Range (USD)
Focus Area
Microsoft Hyper-V
Windows 10

Windows Server 2012

Windows Server 2012 R2

Windows Server Insider Preview
$5,000-$250,000
Focus Area
Mitigation bypass and Bounty for defense
Windows 10
$500-$200,000
Focus Area
Windows Defender Application Guard
Windows Insider Program (Slow Ring)
$500-$30,000
Focus Area
Microsoft Edge
Windows Insider Program (Slow Ring)$500-$15,000
Base
Windows Insider Preview
Windows Insider Program (Slow Ring)$500-$15,000
This thread is closed for comments
5 comments
    Your comment
  • vern72
    If it was strictly a bug bounty, Microsoft would go broke.
  • virtualban
    Can I report the whole OS as a bug?
    It consumes too many cpu cycles unnecessarily, making technology act worse rather than better the more it is refined.
    (refined by whom? engineers make things go smoother, lawyers make things go slower, M$ has more lawyers than engineers, maybe that is the way it goes).
  • Translation:

    We at Microsoft fired entire QA team and we are using Windows Insider and whoever to their job for free and you get nice retarded ninja cat wallpapers.

    Seriously people, do yourself a favor and run the best and most stable OS MC made, it is called Windows 7.

    Don't be afraid that it doesn't run latest and greatest. It is happily running and performing under 8/16 CPU with 32GB DDR4, SLI 1080, and it is booting from the latest Samsung M.2 drive.