PROGRAM DESCRIPTION

Microsoft is pleased to broaden the scope of the Microsoft Hyper-V Bounty Program beginning May 31, 2017. Through this program, individuals across the globe have the opportunity to submit vulnerabilities in eligible product versions for Microsoft Hyper-V for payment of up to $250,000 USD. Microsoft will pay a bounty on three types of vulnerabilities: Remote Code Execution (RCE), Information Disclosure (ID) and Denial of Service (DOS). All bounties will be paid out at Microsoft’s discretion.

The Microsoft Hyper-V Bounty Program is subject to the legal terms outlined here.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

The Microsoft Bug Bounty program is looking to reward high quality submissions that reflect the research that you put into your discovery. The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability.
Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:
  • Identify an original and previously unreported remote code execution (RCE), information disclosure (ID), or denial of service (DoS) vulnerability that reproduces in our Microsoft Hyper-V technologies that are listed within scope.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious

Scope:

  • Hyper-V on Windows 10 (latest builds of Windows Insider Preview slow)
    • If you are submitting a vulnerability for Hyper-V on Windows 10, then the vulnerability must reproduce on the recent WIP slow builds to qualify for a bounty
    • If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission, then the submission is ineligible
  • Hyper-V on Windows Server 2016 (latest available version)

Out of Scope:

  • Hyper-V isolation containers
  • Hardware and firmware issues
  • Vulnerabilities that can only be triggered by an attacker running code on the host

HOW ARE PAYMENT AMOUNTS SET?

Rewards for submissions that qualify for a bounty range from $5,000 up to $250,000. Higher payouts are given based on the quality of the report and the security impact of the vulnerability. Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible. We typically reward lower amounts for vulnerabilities that require significant user interaction.
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
  • The first external report received on an internally known issue will receive a maximum of 10% of the maximum payout.
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission.
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout from a single bounty program.
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.

BOUNTY PROGRAM TIERS

We have divided the scope into tiers to provide better clarity on the payment structure:
  • Tier 1 includes Hypervisor and Host Kernel
  • Tier 2 includes Virtual Machine worker process
  • Tier 3 includes the following Hyper-V components: Remotefx®, Legacy Network Adapter (Generation 1) and Fibre Channel Adapter

Remote Code Execution

An eligible submission includes a RCE vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor, escape from a guest virtual machine to the host, or escape from one guest virtual machine to another guest virtual machine.
Vulnerability Type
Tier
Proof of concept
Functioning Exploit
Report Quality
Payout range (USD)*
RCE
Tier 1
Required
Yes
High
$250,000
No
High
$200,000
No Low $50,000
RCE
Tier 2
Required
Yes
High
$150,000
No
High
$100,000
No Low $25,000
RCE
Tier 3
Required
Yes
High
$20,000
No
High
$15,000
No Low $5,000
*The payment tiers were updated on July 26, 2017

Denial of Service and Information Disclosure

The vulnerability should result in one of the following:
  • Crash the host machine, resulting in a denial of service condition
  • Cause a failure to start and stop VMs
  • Gain sensitive information from the host machine or another guest
Vulnerability Type Tier Proof of concept Report Quality Payout range (USD)
DOS Tier 1 Required High $15,000
Low $5,000
Info Disclosure Tier 1 Required High $25,000
Low $5,000
Tier 2 Required High $15,000
Low $5,000

LEGAL NOTICE

To get additional information on the Microsoft legal guidelines please go here.

Thank you for participating in the Microsoft Bug Bounty Program!