Microsoft Windows Insider Preview Bounty Program
Microsoft is pleased to announce the launch of the Window Insider Preview bounty programs beginning July 26, 2017. The eligible submission criteria and payment tiers were updated on February 2, 2018. Through this program, eligible participants across the globe can submit vulnerabilities that reproduce in latest Windows Insider Preview (WIP) fast ring.
Qualified submissions for the Windows Insider Preview Bounty Program are eligible for payment from a minimum of $500 USD up to $15,000 USD. Bounties will be paid out at Microsoft’s discretion. Microsoft may pay more depending on the entry quality and complexity.
For more information on the Windows Insider Preview platform, see the following references:
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
The Microsoft Bug Bounty program is looking to reward high quality submissions that reflect the research that you put into your discovery. The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability.
Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:
- Identify an original and previously unreported Critical or Important vulnerability that reproduces in WIP fast.
- Submit against any version of Windows, but bounty awards will only be paid if the bug reproduces in WIP fast.
- If a submission reproduces in a previous WIP fast build but not the current WIP fast at the time of your submission, then the submission is ineligible.
- Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the impact of the vulnerability (i.e. elevation of privilege from AppContainer to Kernel)
- Include an attack vector if not obvious
- Include the build and revision string in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx registry key.
HOW ARE PAYMENT AMOUNTS SET?
Rewards for submissions that qualify for a bounty typically range from $500 up to $15,000. Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- The first external report received on an internally known issue will receive a maximum of 10% of the maximum payout ($1,500 for a high quality RCE).
- If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission.
- Microsoft may reject any submission, that it determines (in its sole discretion) does not meet these criteria.
|Remote Code Execution||Up to $15,000||From $500 to $7,500|
|Elevation of Privilege||Up to $10,000||From $500 to $5,000|
|Information Disclosure||Up to $5,000||From $500 to $2,500|
|Remote Denial of Service||Up to $5,000||From $500 to $2,500|
|Tampering / Spoofing||Up to $5,000||From $500 to $2,500|
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept.
We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.
If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout from a single bounty program.
The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. While we encourage any submissions that describe security vulnerabilities in WIP fast, the following are examples of vulnerabilities that will not earn a bounty reward under this program:
- Vulnerabilities in Windows Store, Windows Apps, firmware, third party drivers, or third-party software in Windows
- Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configurations
To get additional information on the Microsoft legal guidelines please go here.