Over the past ten months we have paid out over $200,000 USD in bounties. This collaboration with the research community has resulted in significant improvements in Edge security and has allowed us to offer more proactive security for our customers. Keeping in line with our philosophy of protecting customers and proactively partnering with researchers, today we are changing the Edge on Windows Insider Preview (WIP) bounty program from a time bound to a sustained bounty program.
Since 2013, we have launched three browser bounties to uncover specific vulnerabilities. As security is a continuous effort and not a destination, we prioritize identifying different types of vulnerabilities in different points of time. On August 4, 2016, we launched the Edge Web Platform bounty on WIP to incentivize researchers to send us remote code execution (RCE), same origin policy bypass vulnerabilities (example: UXSS), and referrer spoofing vulnerabilities in our latest browser. Microsoft is committed to delivering secure products to our customers and this bounty program helped us achieve that goal. We received many high-quality reports in Edge during this 10-month program which helped keep our customers secure.
The overall program highlights:
- Any critical remote code execution or important design issue that compromises a customer’s privacy and security will receive a bounty
- The bounty program is sustained and will continue indefinitely on Microsoft’s discretion
- Bounty payouts will range from $500 USD to $15,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD
- Vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track)
- All security bugs are important to us and we request you report all Microsoft Edge browser security bugs to secure@microsoft.com via Coordinated Vulnerability Disclosure (CVD) policy
- For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.
As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.
Akila Srinivasan Microsoft Security Response Center