Microsoft Edge (EdgeHTML) on Windows Insider Preview Bounty Program
The Microsoft Edge bounty program welcomes individuals across the globe to submit vulnerabilities found in Microsoft Edge based on EdgeHTML shipping on the latest Windows 10 Insider Preview slow ring. Qualified submissions are eligible for bounty rewards of $500 USD to $15,000 USD, and bounties will be awarded at Microsoft’s discretion based on the quality and complexity of the vulnerability, and subject to the Microsoft Bounty Terms and Conditions.
Windows 10 Insider preview updates are delivered to testers in different rings. For the bounty program, we request you submit bugs on the Windows Insider Preview slow ring. Check out https://insider.windows.com/ and https://insider.windows.com/Home/GetStarted for more information.
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty award:
- Identify an original and previously unreported vulnerability in the current Microsoft Edge based on EdgeHTML on WIP slow.
- Submission must include WIP slow build number on which the vulnerability reproduces.
- Include concise reproducibility steps that are easily understood.
- This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Must provide Proof of Concept (PoC) with submission.
HOW ARE PAYMENT AMOUNTS SET?
Bounty awards range from $500 up to $25,000. Higher awards are possible, at Microsoft’s sole discretion, based on entry quality and complexity. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission based on the criteria mentioned above.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission.
- Novel vulnerabilities discovered that might only result in a “Medium” level of severity could still be considered for bounty.
|Remote Code Execution||Up to $15,000||From $500 to $5,000|
|Violation of Same Origin Policy (Universal XSS)||Up to $6,000||From $500 to $2,000|
|Information Disclosure||Up to $5,000||From $500 to $1,000|
|Other novel vulnerability (CSP bypass, referrer spoof, etc.)||Up to $2,000||Up to $500|
* Meets all guidelines of submission criteria outlined above, contains high quality PoC plus ways in which attacker can leverage the finding against a user.
** Meets all guidelines of submission criteria outlined above but lacking any further detailed or information or poor quality PoC.
Definitions for Eligible Submissions:
Proof of concept
The files and steps necessary to reliably reproduce the vulnerability.
Remote code execution
A vulnerability in Microsoft Edge (EdgeHTML) WIP Slow where an attacker has access to someone else's computing device and make changes, no matter where the device is geographically located.
WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?
The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:
- Vulnerabilities in anything earlier than the current WIP slow build
- Vulnerabilities in any versions of Internet Explorer
- Vulnerabilities in any version of Microsoft Edge based on Chromium
- Vulnerabilities in user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities with Memory Garbage Collector (MemGC) turned off
- Vulnerabilities found by disabling existing browser security features
- Vulnerabilities in experimental features, such as those listed in about:flags
We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
HOW DO I PROVIDE MY SUBMISSION?
Send your complete submission to Microsoft at firstname.lastname@example.org using the bug submission guidelines found here. We request you follow Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We are not responsible for submissions that we do not receive for any reason. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.
If you provide us with an otherwise eligible submission, but do not follow Coordinated Vulnerability Disclosure—for example, by publishing the vulnerability when or before you submit it under this program—then Microsoft may deem your submission to be ineligible under this program. We may also bar you from receiving compensation under future Microsoft Bounty programs.
- Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope.
- There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program
For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty Terms and our FAQ.
Thank you for participating in the Microsoft Bug Bounty Program!
- August 4, 2016: Bounty program launched
- December 7, 2018: Added revision history section and updated program introduction
- April 8, 2019: Updated in-scope versions to Microsoft Edge (EdgeHTML) only. Updated Bounty Awards description and section introductions.