PROGRAM DESCRIPTION

Through the Microsoft Hyper-V Bounty Program individuals across the globe have the opportunity to submit vulnerabilities in eligible product versions for Microsoft Hyper-V for awards of up to $250,000 USD. Microsoft will award a bounty on three types of vulnerabilities: Remote Code Execution (RCE), Information Disclosure (ID) and Denial of Service (DOS). All bounties will be awarded at Microsoft’s discretion.
 
The Microsoft Hyper-V Bounty Program is subject to the legal terms outlined Microsoft Bounty Terms and Conditions.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

The Microsoft Bug Bounty program is looking to reward high quality submissions that reflect the research that you put into your discovery. The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability.
 
Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for bounty award:
 
  • Identify an original and previously unreported remote code execution (RCE), information disclosure (ID), or denial of service (DoS) vulnerability that reproduces in our Microsoft Hyper-V technologies that are listed within scope.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious

Scope:

  • Hyper-V on Windows 10 (latest builds of Windows Insider Preview slow)
    • If you are submitting a vulnerability for Hyper-V on Windows 10, then the vulnerability must reproduce on the recent WIP slow builds to qualify for a bounty
    • If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission, then the submission is ineligible
  • Hyper-V on Windows Server 2016 (latest available version)
  • Hyper-V isolation containers

Out of Scope:

  • Hardware and firmware issues
  • Vulnerabilities that can only be triggered by an attacker running code on the host
  • Vulnerabilities based on third party code, such as Docker and Kubernetes

HOW ARE AWARD AMOUNTS SET?

Rewards for submissions that qualify for a bounty range from $5,000 up to $250,000. Higher awards are given based on the quality of the report and the security impact of the vulnerability. Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest award possible. We typically reward lower amounts for vulnerabilities that require significant user interaction.
 
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout from a single bounty program.
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.

BOUNTY PROGRAM TIERS

We have divided the scope into tiers to provide better clarity on the payment structure:
 
  • Tier 1 includes Hypervisor and Host Kernel
  • Tier 2 includes user-mode processes including (but not limited to) the VM Worker Process and VM Compute
  • Tier 3 includes the following Hyper-V components: Remotefx®, Legacy Network Adapter (Generation 1) and Fibre Channel Adapter
     

Remote Code Execution

An eligible submission includes a RCE vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor, escape from a guest virtual machine to the host, or escape from one guest virtual machine to another guest virtual machine.
Vulnerability Type
Tier
Proof of concept
Functioning Exploit
Report Quality
Payout range (USD)*
RCE
Tier 1
Required
Yes
High
$250,000
No
High
$200,000
No Low $50,000
RCE
Tier 2
Required
Yes
High
$150,000
No
High
$100,000
No Low $25,000
RCE
Tier 3
Required
Yes
High
$20,000
No
High
$15,000
No Low $5,000
*The payment tiers were updated on July 26, 2017

Denial of Service and Information Disclosure

The vulnerability should result in one of the following:
  • Crash the host machine, resulting in a denial of service condition
  • Cause a failure to start and stop VMs
  • Gain sensitive information from the host machine or another guest
Vulnerability Type Tier Proof of concept Report Quality Payout range (USD)
DOS Tier 1 Required High $15,000
Low $5,000
Info Disclosure Tier 1 Required High $25,000
Low $5,000
Tier 2 Required High $15,000
Low $5,000

LEGAL NOTICE

To get additional information on the Microsoft legal guidelines please see our Bounty Terms and our FAQ.

REVISION HISTORY

May 31, 2017: Program Launch
December 7, 2018: Revision History added.
January 22, 2019:  Added Hyper-V isolation containers to the bounty scope. 
March 15, 2019: Added examples to Tier 2 definition and specificed third party code vulnerabilities as out of scope.
 

Thank you for participating in the Microsoft Bug Bounty Program!