PROGRAM DESCRIPTION

The Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. Qualified submissions are eligible for awards from $500 USD to $100,000 USD.

Bounties will be awarded at Microsoft’s discretion. Microsoft may award more depending on the severity and impact of the vulnerability, and the quality of the submission. This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions.  

ELIGIBLE SUBMISSIONS

The goal of the bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:

  • Identify a vulnerability that was not previously reported to Microsoft.
  • Such vulnerability must be Critical or Important severity as defined in the Microsoft Vulnerability Severity Classification for Windows.
  • To be eligible for General Awards, your submission must be reproducible against the latest Dev Channel build of Windows Insider Preview.
  • To be eligible for Attack Scenario Awards, your submission must include a proof of concept demonstrating the vulnerability against the latest Dev Channel build of Windows Insider Preview
    • Include in the submission the latest Dev Channel build that was tested and revision string in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx registry key.
      • For example, 99999.1.amd64fre.fs5_release.180914-1434.en-us
  • Bounty awards will be based on the version of Windows Insider Preview used in the original proof of concept at the time of submission. 
  • Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team the information necessary to quickly reproduce, understand, and fix the issues.
    • Find examples here
  • Affect a feature that is both serviced and eligible for bounty according to the Microsoft Security Servicing Criteria for Windows.
  • Use a component with known vulnerabilities. 
    • Requires proof of reachability. For example, a small program that causes the identified vulnerable code to be run.

We request researchers include the following information to help us quickly assess their submission

    Submit through the MSRC Researcher Portal
  • Indicate in the vulnerability submission which attack scenario (if any) your report qualifies for
  • Describe the attack vector for the vulnerability

GETTING STARTED

To get started, join the Windows Insider Preview program and download the latest Dev Channel version.

For more information, see:

BOUNTY AWARDS

Bounty awards range from $500 USD up to $100,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who report vulnerabilities that do not qualify for bounty awards may still be eligible for public acknowledgment if their report leads to a vulnerability fix.

If a reported vulnerability does not qualify for a bounty award under the Attack Scenarios, it may be eligible for a bounty award under General Awards. Eligible submissions will be awarded the single highest qualifying award.

Attack Scenario Awards*

 

Attack Vector

Scenario

Maximum Award

Remote (assumes no prior execution)

Unauthenticated1 non-sandboxed code execution with no user interaction

$100,000

Demonstrated2 unauthenticated and unauthorized access to private3 user data with little4 or no user interaction

$50,000

Unauthenticated data destruction or persistent denial of service with no user interaction

$30,000

Local (assumes prior execution)

Sandbox5 escape with little or no user interaction

$20,000

Demonstrated unauthorized access to private user data from a sandboxed5 process with no user interaction

$20,000

*Proof-of-concepts for an Attack Scenario Award must exercise a vulnerability within a shipped Windows application. This includes, without limitation, shipped clients, servers, and services.

1Unauthenticated attacks are only those attacks that require no credentials or being part of a domain, and lateral movement attacks are strictly out of scope as these would be considered post-auth. Additionally, attacks that require the victim to already have the application open, download an attachment, or interact with the application in any way are out of scope.

2Demonstrated means submission must explain in detail how the reported vulnerability can be used to access private data.

3Private data means user files, emails, photos or similar data protected behind a Windows security boundary.

4Little user interaction includes, without limitation, clicking a file or browsing to a website. 

5Eligible sandboxes are New Microsoft Edge based on Chromium renderer process, Windows Defender Sandbox (MsMpEngCP), WinHTTP Web Proxy Auto-Discovery Service (WPAD) sandboxed process, UtcDecoderHost.exe sandboxed process. Ineligible sandboxes are AppContainer (AC) and Internet Explorer sandbox, these are eligible for general bounty awards (see below). 

General Awards

 

Security Impact

Maximum Award

Remote Code Execution

$5,000

Elevation of Privilege

$2,000

Security Feature Bypass

$1,000

Information Disclosure

$1,000

Spoofing

$1,000

Tampering

$1,000

Denial of Service

$500

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review each vulnerability report on a case-by-case basis, but some vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards: 

  • Any submission that does not demonstrate testing and reproduction in Windows Insider Preview Dev Channel at time of submission
  • Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community.
  • Low or Moderate severity vulnerabilities
  • Submissions impacting features not serviced and eligible for bounty according to the Microsoft Security Servicing Criteria for Windows.
  • Vulnerabilities in Windows Store, Windows Apps, firmware, third party drivers, or third-party software in Windows.
  • Vulnerabilities requiring extensive or unlikely user actions.
  • Vulnerabilities that are only reachable via Microsoft Internet Explorer or Microsoft Edge Legacy. Please use the new Microsoft Edge.  
  • Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations.
  • Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configurations. Common configurations that are either default configurations or configurations that are specifically recommended on MSDN or official Microsoft documentation. Examples of uncommon configurations include, without limitation:
    • Vulnerabilities that require enabling Server Message Block protocol (SMBv1) 
    • Sandbox escapes with User Account Control (UAC) disabled 
    • Enabling WINS or other legacy, insecure protocols
    • Proof-of-concepts that exercise a vulnerability within a custom application are not eligible for an Attack Scenario Award. This includes, without limitation, fuzzing harness, custom clients, and custom servers.

ADDITIONAL INFORMATION

For additional information please see our FAQ.

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission. 
  • If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

REVISION HISTORY

  • July 26, 2017: Program launched
  • January 17, 2019: Added Security Servicing Criteria and updated duplicate report guidelines. Added temporary Windows sandbox escape scope and increased award levels.
  • October 3, 2019: Removed Defender AV sandbox escape bounty bonus. Added How Do I Provide My Report section. 
  • February 10, 2020: Renamed "Bounty Scope" section to "Out of Scope Submissions and Vulnerabilities."
  • April 22, 2020: Added out of scope - vulnerabilities that rely on Microsoft Internet Explorer or Microsoft Edge Legacy and vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations, including examples.
  • July 24, 2020: Added attack scenario awards and general award table, increasing top award to $100,000. Added requirement that eligible submissions must show testing and repro on Dev Channel. Separated submission eligibility into required criteria and recommended criteria.
  • August 27, 2020: Moved “clear, concise, reproducible steps” from recommended to required. Added clarification that “unauthenticated” is required for Remote attack scenarios. Added definition for “demonstrated” in attack scenarios. 
  • September 1, 2021: Added definition for “unauthenticated” in attack scenarios. Updated “Eligible Submissions” section to provide clarity for what to include in a submission. Updated list of eligible sandboxes.
  • December 8, 2021: Added enabling WINS and other legacy products to Out-of-Scope under the Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration bullet. 
  • December 20, 2021: Added additional detail to the Unauthenticated RCE Scenario exclusion in footnote 1.
  • January 18, 2022: Removed local vulnerabilities involving race conditions in user-mode components from Out-of-Scope.
  • January 20, 2022: Removed local vulnerabilities involving file path redirection through junctions or mountpoints from Out-of-Scope.
  • February 25, 2022: Added additional detail on what is required in a proof-of-concept.
  • March 4, 2022: Clarified common configuration definition in the Out-of-Scope section. 
  • May 4, 2022: Added additional detail for what is required in a proof-of-concept.
  • October 31, 2022: Updated general and scenario award requirements in the Eligible Submissions section.