On August 4, 2016 we launched a bounty program that targets Remote Code Execution (RCE) vulnerabilities in Microsoft Edge on the Windows Insider Preview Slow (WIP slow). Today, we will be making additions to this bounty program. Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time. Currently, we are focusing on vulnerabilities that lead to violation of W3C standards that compromise privacy and integrity of important user data, and RCEs. This program now includes:
- Same Origin Policy bypass vulnerabilities (example: UXSS)
- Referer Spoofing vulnerabilities
- Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview
- Vulnerabilities in open source sections of Chakra
- The bounty will run August 4, 2016 through May 15, 2017 and vulnerabilities on UXSS and referer spoofing submitted to secure@microsoft.com after August 4, 2016 will be retroactively rewarded
- Bounty payouts will range from $500 USD to $15,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD
- Vulnerabilities must be reproducible on the latest Windows Insider Preview (Slow track)
- All security bugs are important to us and we request you report all Microsoft Edge browser security bugs to secure@microsoft.com
For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.
As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.
Akila Srinivasan and Crispin Cowan