PROGRAM DESCRIPTION

The Microsoft Edge (Chromium-based) Insider Bounty Program welcomes individuals across the globe to seek out and submit vulnerabilities unique to the next version of Microsoft Edge based on Chromium. Qualified submissions are eligible for bounty rewards of $1,000 USD to $30,000 USD

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and quality of the submission, and subject to the Microsoft Bounty Terms and Conditions

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

The goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge which have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty awards: 

  • Identify a previously unreported vulnerability that is unique to Microsoft Edge based on Chromium, in the Beta or Dev channels, and which does not reproduce on the equivalent channel of Google Chrome. 
    • Vulnerabilities must be reproducible on the latest version of Microsoft Edge at the time of submission running on the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS at the time of submission. 
    • Include the version number of Microsoft Edge used to reproduce the vulnerability (e.g. Version 77.0.188.0 (Official build) dev (64-bit), and the version number of Chrome used to verify that it does not reproduce on Chrome. Eligible version numbers of the next version of Microsoft Edge will begin with at least 77 or higher.  
  • Demonstrable exploits in third party components that repro in Microsoft Edge but not in Chrome are also eligible for consideration under this bounty program. Testing in Windows Insider Preview is not required. 
    • Requires full proof of concept (PoC) of exploitability.  For example, simply identifying and out of date library would not qualify for an award.
  • Include concise reproducibility steps that are easily understood, either in writing or in video format 
    • This allows submissions to be processed as quickly as possible and supports the highest bounty awards. 
  • Must provide Proof of Concept (PoC) with submission. 

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

GETTING STARTED

Download the next version of Microsoft Edge and follow the Microsoft Edge team blogcommunity forumsGitHubMicrosoft Edge Insider page, and Twitter to learn about the latest features and releases. 

There are several features in Microsoft Edge on Chromium that are unique to Edge and may be good places to start looking for Microsoft bounty eligible vulnerabilities. Below are a few examples: 

  • Internet Explorer (IE) Mode: This feature allows enterprise administrators to maintain a trusted list of sites allowed to be open in IE Mode within the Edge browser. This feature requires a supported version of Windows. See the new Microsoft Edge documentation for more details on this feature.  
  • PlayReady DRM: This feature allows the new Microsoft Edge to show media content protected with PlayReady DRM (in addition to the WideVine DRM, which is also supported by Google Chrome). 
  • Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD) – This feature allows users to sign into the browser with an MSA or AAD can enable syncing across devices and other personalization. Vulnerabilities affecting Microsoft Identity services will be reviewed and awarded under the Microsoft Identity bounty program if eligible.  
  • Application Guard: Vulnerabilities affecting Application Guard will be reviewed and awarded under the Windows Defender Application Guard bounty program if eligible. Vulnerabilities resulting in escape from the WDAG container to the host are eligible for up to $30,000.

HOW ARE PAYMENT AMOUNTS SET?

Bounty awards range from $1,000 up to $30,000. Higher awards are possible, at Microsoft’s sole discretion, based on entry quality and complexity. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix. 

Security Impact

Report Quality

Severity

Critical

Important

Moderate

Low

Elevation of Privilege (EoP) + WDAG container escape

Up to $30,000 under the

Windows Defender Application Guard Bounty Program

Elevation of Privilege (EoP)

High

Medium

Low

$15,000

$13,000

$8,000

$10,000

$8,000

$5,000

$0

$0

Remote Code Execution (RCE)* 

High

Medium

Low

$10,000

$8,000

$5,000

$7,000

$4,000

$1,000

$0

$0

Information Disclosure

High

Medium

Low

$10,000

$8,000

$5,000

$6,000

$3,000

$1,000

$0

$0

Spoofing/Tampering

High

Medium

Low

N/A**

$6,000

$3,000

$1,000

$0

$0

Security Feature Bypass

Awarded based

on resulting impact

of the bypass (E.G. site isolation bypass, SOP bypass, etc.)

$0

$0

Denial of Service

High/Low

Out of Scope

* A vulnerability in Microsoft Edge based on Chromium where an attacker has remote access to a victim’s computing device and make changes, no matter where the device is geographically located 

**N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category 

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here

We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards: 

  • Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community 
  • Vulnerabilities that reproduce in Chrome at the time of submission 
  • Vulnerabilities that only reproduce in Canary or earlier builds at the time of submission  
  • Vulnerabilities in any versions of Internet Explorer 
  • Vulnerabilities in any version of Microsoft Edge based on EdgeHTML (versions of the Edge up to and including version 45). 
  • Vulnerabilities in Edge running on mobile operating systems such as iOS or Android 
  • Vulnerabilities in user-generated content 
  • Vulnerabilities requiring extensive or unlikely user actions 
  • Vulnerabilities found by disabling existing browser security features 
  • Vulnerabilities in experimental features, such as those listed in edge://flags 

Microsoft may accept reject any submission that it determines, at its sole discretion, falls into any of these categories.

HOW DO I PROVIDE MY SUBMISSION?

Send your complete submission to Microsoft using MSRC submission portal and the bug submission guidelines. We request you follow the Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.

Have questions? We're alwaysavailable at secure@microsoft.com.

BOUNTY AWARDS

  • Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope. 
  • There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive. 
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.  
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may provide a partial award to the duplicate submission.   
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest award from a single bounty program

TERMS AND CONDITIONS

For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty TermsFAQ, and bounty Safe Harbor policy.

Thank you for participating in the Microsoft Bug Bounty Program! 

REVISION HISTORY

  • Aug 20, 2019: Bounty program launched. Removed reference to MemGC.