Skip to main content

Microsoft Announces Windows Bounty Program

Microsoft announced a new Windows Bounty Program that will pay researchers up to $250,000 for finding and disclosing security vulnerabilities.

The bug bounty program will task researchers with focusing on a few key areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, Microsoft Edge, and all features made available via the Windows Insider Program. Payouts depend on where a vulnerability is found and how severe it is. A minor vulnerability in Edge pays $500; a critical vulnerability in Hyper-V can pay up to $250,000. That's quite the range.

But that's what it takes to learn about vulnerabilities as soon as possible. Some people disclose security problems simply because they want to make Windows users safer. Others hunt for vulnerabilities because that's how they want to make a living. Companies like Microsoft have realized they can't just rely on the first group's altruism--they also have to offer financial incentives so they can appeal to the second group's wallets.

That's why everyone from Qualcomm and Netgear to the European Parliament and Fiat Chrysler have recently introduced or expanded bug bounty programs. The Windows Bounty Program is an expansion of Microsoft's other efforts. Here's what the company said in its announcement:

Since 2012, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.

Microsoft also offered a few highlights about the program, prime among them being the fact that "any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty." It might not pay much, but you'll get something. The company also pointed out that the Windows Bounty Program runs at its discretion and can end at any time.

Another thing to note is that Microsoft will pay out even if you report a vulnerability it has already discovered. The company said it will pay "a maximum of 10% of the highest amount" you would've received if the discovery was fresh. Again, that might not add up to much, but it's clear Microsoft is trying to encourage researchers to disclose everything instead of sitting on vulnerabilities because they don't know if they're new.

You can learn more about Microsoft's bug bounties, including the Windows Bounty Program, in the company's Security Tech Center. Vulnerabilities can also be disclosed by emailing secure@microsoft.com. The basics about the Windows Bounty Program's payouts can be found below.

CategoryTargetsWindows VersionPayout Range (USD)
Focus AreaMicrosoft Hyper-VWindows 10Windows Server 2012Windows Server 2012 R2Windows Server Insider Preview$5,000-$250,000
Focus AreaMitigation bypass and Bounty for defenseWindows 10$500-$200,000
Focus AreaWindows Defender Application GuardWindows Insider Program (Slow Ring)$500-$30,000
Focus AreaMicrosoft EdgeWindows Insider Program (Slow Ring)$500-$15,000
BaseWindows Insider PreviewWindows Insider Program (Slow Ring)$500-$15,000
  • vern72
    If it was strictly a bug bounty, Microsoft would go broke.
    Reply
  • virtualban
    Can I report the whole OS as a bug?
    It consumes too many cpu cycles unnecessarily, making technology act worse rather than better the more it is refined.
    (refined by whom? engineers make things go smoother, lawyers make things go slower, M$ has more lawyers than engineers, maybe that is the way it goes).
    Reply
  • Translation:

    We at Microsoft fired entire QA team and we are using Windows Insider and whoever to their job for free and you get nice retarded ninja cat wallpapers.

    Seriously people, do yourself a favor and run the best and most stable OS MC made, it is called Windows 7.

    Don't be afraid that it doesn't run latest and greatest. It is happily running and performing under 8/16 CPU with 32GB DDR4, SLI 1080, and it is booting from the latest Samsung M.2 drive.
    Reply
  • salgado18
    "A minor vulnerability in Edge pays $500"

    Easy money, I guess? XD
    Reply
  • antilycus
    I've cut the cord to Windows years ago at home. Linux Debian has been great for me. Thunderbird to replace Outlook, or EVOLUTION (non exchange/office 365). Libre Office (comes installed, Open license) to open, edit, save in propriety microsoft formats (.docx, xlsx, etc) or ODF (open document format). Memory usage that is amazing and free virtualization if I need a windows VM using VIRT-MANAGER. I dont crash and I don't suffer productivity as I can support all 1500 of our windows clients without any problems. No registry, no bullcrap drivers...just works like it should
    Reply