Microsoft has updated its bug bounty scheme, under which anyone who identifies security issues in Windows could be rewarded up to $250,000. The Microsoft bug bounty program for Windows Insiders now covers the full OS, including Windows Server Insider.
What has changed with the Microsoft bug bounty program?
Under the new terms, those who find a vulnerability in the slow Windows Insider release track will be awarded $30,000. Microsoft is also focusing on the Mitigation bypass and Microsoft Edge, and participants who identify a bug are eligible for $100,000 and $15,000, respectively. However, the main focus is on the Hyper-V, and finding a bug in the code, can earn you up to $250,000.
Participants who find remote code execute bugs within a Windows Insider Preview or the Edge web browser will be awarded up to $15,000 with privilege escalation, remote denial of service and information disclosure exploits. The rewards are paid on a sliding scale down to $500.
“If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission, then the submission is ineligible,” Microsoft said in an explanatory note.
Further, the company stated that if it is already aware of the reported issue and found the problem before any participant found it, then 10% of the highest amount will be paid to the person.
However, users will be restricted in submitting a fix in the Windows bug bounty program because the OS is a closed source, notes XDA. Nevertheless, Microsoft will benefit from the bug reporting alone, as it can then design a fix to enhance the security of its products.
Rising importance of the Microsoft bug bounty program
The Microsoft bug bounty program has been in existence since 2013, when rewards were fixed at $11,000 for finding bugs in Internet Explorer 11. Since then, the company has only increased the scale of the program (and the reward) to include Hyper-V hypervisor, the Edge browser and Windows’ exploit mitigation systems, such as DEP and ASLR.
In March, Microsoft launched its Office Insider Builds bug bounty program, in which the reward limit was set at up to $15,000 in the normal course, and for “certain submissions,” participants could gain up to $15,000 more, notes ZDNet. The program ended on June 15.
Big tech companies like Google, Facebook, etc., have been conducting such programs from time to time, offering huge rewards to those who are able to find flaws. Such programs make it easier for tech companies to look for security flaws before they wreak havoc in one way or another. Paying a bounty costs the company only a little compared to fixing loopholes after it’s too late.
These programs have been around for a long time, but in the wake of recent security breaches and cyber-threats, such events have spiked. Only recently, there have been some leaks of the U.S. Central Intelligence Agency’s Vault 7, which included security exploits for Microsoft Edge, Mozilla Firefox, Opera, iOS, macOS, Microsoft Windows and a few others. Microsoft was also heavily affected last year after reports that the 2012 LinkedIn hack was bigger than initially assumed.