Microsoft today launched the new Windows Bounty Program that will allow anyone to find critical security issues in Windows and get rewarded by reporting it to Microsoft. It includes all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. Microsoft is also increasing the pay-out range for the Hyper-V Bounty Program. The bounty payouts will range from $500 USD to $250,000 USD.
The program highlights:
- Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)
- All security bugs are important to us and we request you report all security bugs to [email protected] via Coordinated Vulnerability Disclosure (CVD) policy
|Category||Targets||Windows Version||Payout range (USD)|
|Focus area||Microsoft Hyper-V|| Windows 10|
Windows Server 2012
Windows Server 2012 R2
Windows Server Insider Preview
|$5,000 to $250,000|
|Focus area||Mitigation bypass and Bounty for defense||Windows 10||$500 to $200,000|
|Focus area||Windows Defender Application Guard||WIP slow||$500 to $30,000|
|Focus area||Microsoft Edge||WIP slow||$500 to $15,000|
|Base||Windows Insider Preview||WIP slow||$500 to $15,000|
In the recent years, Microsoft has built several defensive security mechanisms such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard in Windows 10 to improve the security of the systems. Windows Bounty program will help Microsoft in fixing the holes in these technologies.
Learn more about the Windows Bounty program here.