Microsoft extends Edge Bounty Program, will continue indefinitely

Microsoft Edge

Over the past 10 months, Microsoft has paid out more than $200,000 USD in bounties to researchers reporting vulnerabilities through the Microsoft Edge Bounty Program. When Microsoft announced this Edge Bounty Program last year, they said that this program will run August 4, 2016 through May 15, 2017. Last month, Microsoft announced that they are extending the end date of this program to June 30, 2017. Today, Microsoft announced that they are changing this program from a time bound to a sustained bounty program and it will continue indefinitely on Microsoft’s discretion.

Vulnerability typeProof of
Report QualityPayout range (USD) *
Remote Code
Execution in
Microsoft Edge on
recent builds of WIP
RequiredHighUp to $15,000
RequiredLowUp to $1,500
Violations of W3C
standards that
compromise privacy or
integrity of important user data.
RequiredHighUp to $6,000
This includes:

  • Violation of SoP,
    i.e. UXSS
  • Referrer spoofs
RequiredLowUp to $1,500
This does not include:

  • XSS, CSRF: report
    these to the web
    site owner
  • XSS filter bypass

If you are a security researcher, you can earn payments for eligible submissions based upon the following:

You can find more details about this program here.

Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.