If you are unfamiliar with the Bounty Program, it is an initiative that gives hackers rewards for finding flaws in Microsoft Windows, Azure DevOps, and Cloud solutions. The Bounty Program has extended across Azure (April 2015) and Office 365 (August 2015). In September, 2016 the Bug Bounty also extended to the Microsoft Edge Insider Program. During 2018, the Microsoft Bounty Program debuted as a catch-all program. This new overhaul is focused directly on the Windows Insider Preview bounty program. Launched in 2017, this section of the wider Microsoft Bounty Program rewards researcher who find unknown flaws on the platform. This include the full Windows service in preview, Hyper-V, Application Guard, and Microsoft Defender for Windows 10.
Overhaul
Microsoft says the amount researchers can receive for successful finds has increased substantially. You may remember rewards have so far ranged from $500 to $15,000 for Windows Insider Preview flaws. “Today we’re introducing updates to this program to further incentivize research with the highest impact, including new scenario awards up to $100,000,” Jarek Stanley, senior program manager with Microsoft said recently. “We’re also announcing procedural updates for more seamless integration with researchers and faster Windows bounty awards for eligible research.” There are now five reward tiers linked to what Microsoft calls attack scenarios. Each covers flaws that could put customer privacy and security at risk across levels of severity. Rewards range from $100,000 for most severe to $500 at the lower end, with $50,000, $30,000, $20,000, and $5,000 in between.
“Scenario-based bounty awards – The Windows Insider Preview (WIP) bounty program now includes 5 new scenario-based awards for vulnerabilities that could put customer privacy and security at risk of exploitation. Rewards for these scenarios range from $20,000 to $100,000. General bounty awards – While we are refocusing the WIP bounty program to defend and protect customers from these five high risk exploit scenarios, we continue to offer bounties for other valid vulnerability reports that do not qualify for scenario-based awards. These vulnerability reports are eligible to receive awards ranging from $500 and $5,000.”
