Microsoft announced a new Windows Bounty Program that will pay researchers up to $250,000 for finding and disclosing security vulnerabilities.
The bug bounty program will task researchers with focusing on a few key areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, Microsoft Edge, and all features made available via the Windows Insider Program. Payouts depend on where a vulnerability is found and how severe it is. A minor vulnerability in Edge pays $500; a critical vulnerability in Hyper-V can pay up to $250,000. That's quite the range.
But that's what it takes to learn about vulnerabilities as soon as possible. Some people disclose security problems simply because they want to make Windows users safer. Others hunt for vulnerabilities because that's how they want to make a living. Companies like Microsoft have realized they can't just rely on the first group's altruism--they also have to offer financial incentives so they can appeal to the second group's wallets.
That's why everyone from Qualcomm and Netgear to the European Parliament and Fiat Chrysler have recently introduced or expanded bug bounty programs. The Windows Bounty Program is an expansion of Microsoft's other efforts. Here's what the company said in its announcement (opens in new tab):
Since 2012, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.
Microsoft also offered a few highlights about the program, prime among them being the fact that "any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty." It might not pay much, but you'll get something. The company also pointed out that the Windows Bounty Program runs at its discretion and can end at any time.
Another thing to note is that Microsoft will pay out even if you report a vulnerability it has already discovered. The company said it will pay "a maximum of 10% of the highest amount" you would've received if the discovery was fresh. Again, that might not add up to much, but it's clear Microsoft is trying to encourage researchers to disclose everything instead of sitting on vulnerabilities because they don't know if they're new.
You can learn more about Microsoft's bug bounties, including the Windows Bounty Program, in the company's Security Tech Center (opens in new tab). Vulnerabilities can also be disclosed by emailing firstname.lastname@example.org. The basics about the Windows Bounty Program's payouts can be found below.
|Category||Targets||Windows Version||Payout Range (USD)|
|Focus Area||Microsoft Hyper-V||Windows 10Windows Server 2012Windows Server 2012 R2Windows Server Insider Preview||$5,000-$250,000|
|Focus Area||Mitigation bypass and Bounty for defense||Windows 10||$500-$200,000|
|Focus Area||Windows Defender Application Guard||Windows Insider Program (Slow Ring)||$500-$30,000|
|Focus Area||Microsoft Edge||Windows Insider Program (Slow Ring)||$500-$15,000|
|Base||Windows Insider Preview||Windows Insider Program (Slow Ring)||$500-$15,000|