PROGRAM DESCRIPTION

Through the Microsoft Windows Insider Preview bounty program, we invite eligible researchers across the globe to find and submit vulnerabilities that reproduce in latest Windows Insider Preview (WIP) fast ring.

Qualified submissions are eligible for awards from $1,000 USD to $50,000 USD. Bounties will be awarded at Microsoft’s discretion. Microsoft may award more depending on the quality and complexity of the submission.

For more information on the Windows Insider Preview platform, see the following references:

BOUNTY SCOPE

The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers. While we welcome and will review any submission that describe security vulnerabilities in WIP fast, the following are examples of vulnerabilities that will not earn a bounty reward under this program: 

  • Vulnerabilities in Windows Store, Windows Apps, firmware, third party drivers, or third-party software in Windows
  • Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configurations

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

The Microsoft Bug Bounty program rewards high quality submissions that reflect the research that you put into your discovery. The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability.

Vulnerability submissions must meet the following criteria to be eligible for bounty award:

  • Identify a previously unreported Critical or Important vulnerability that reproduces in WIP fast. 
  • Affect a feature that is both serviced and eligible for bounty according to the Windows Security Servicing Criteria.
  • Submit against any version of Windows, but bounty awards will only be paid if the bug reproduces in WIP fast.
    • If a submission reproduces in a previous WIP fast build but not the current WIP fast at the time of your submission, then the submission is ineligible.
  • Include clear, concise, and reproducible steps, either in writing or in video format.
    • Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue. This supports the highest award for the type of vulnerability being reported.
  • Include the impact of the vulnerability (e.g. elevation of privilege from AppContainer to Kernel)
  • Include an attack vector if not obvious
  • Include the build and revision string in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx registry key.
    • For example, 99999.1.amd64fre.fs5_release.180914-1434.en-us

HOW ARE AWARD AMOUNTS SET?

Rewards for submissions that qualify for a bounty typically range from $1,000 up to $30,000, with rewards up to $50,000 in the Defender AV Sandbox Escape bounty (see below). Higher awards are possible, at Microsoft’s sole discretion, based on entry quality and complexity. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission. 
  • If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

Report Quality

Severity

Critical

Important

Moderate

Low

Remote Code Execution

High

Medium

Low

$30,000

$12,000

$3,000

$25,000

$8,000

$2,000

N/A

N/A

Elevation of Privilege

High

Medium

Low

N/A

$20,000

$8,000

$2,000

$0

N/A

Security Feature Bypass

High

Medium

Low

N/A

$20,000

$8,000

$2,000

$0

$0

Information Disclosure

High

Medium

Low

N/A

$10,000

$3,000

$1,000

$0

$0

Spoofing

High

Medium

Low

N/A

$10,000

$3,000

$1,000

$0

$0

Tampering

High

Medium

Low

N/A

$10,000

$3,000

$1,000

$0

$0

Remote Denial of Service

High

Medium

Low

N/A

$10,000

$3,000

$1,000

$0

$0

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.

We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.

LIMITED TIME DEFENDER AV SANDBOX ESCAPE BOUNTY

Beginning January 15th, 2019, submissions identifying vulnerabilities in Windows Defender Antivirus may be eligible for awards up to $50,000 USD. Qualifying submissions received between January 15 and June 15, 2019 will be evaluated against the following criteria:

Scope is exclusive to elevation of privilege from inside of content parsing process. Qualifying submissions will include details of a vulnerability reachable from the content parsing sandbox for which exploitation would result in elevation of privilege, or in reaching additional attack surface.

The following scenarios are out of scope:

  • Falsifying results from parsing or inspection
  • Attacks that rely on triggering “fallback” behavior that aborts using the sandbox as this behavior will not be present in the final version
  • Attacks that rely on corrupting or writing to the Windows Defender AV internal database (mpenginedb.db) as modifying this file requires administrative rights

Submissions that meet the above criteria will be eligible for the following awards based on the quality of the report and severity of the vulnerability.

 

Impact

Report Quality

Severity

Critical

Important

Moderate

Low

Elevation of Privilege

High

Medium

Low

N/A

$50,000

$15,000

$4,000

N/A

N/A

LEGAL NOTICE

For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty Terms and our FAQ.

REVISION HISTORY

  • July 26, 2017: Program launched
  • January 17, 2019: Added Security Servicing Criteria and updated duplicate report guidelines. Added temporary Windows sandbox escape scope and increased award levels.