Partnering with the research community is an important part of Microsoft’s holistic approach to defending against security threats. Bounty programs are one part of this partnership, designed to encourage and reward vulnerability research focused on the highest impact to customer security. The Windows Insider Preview (WIP) Bounty Program is a key program for Microsoft and researchers.
Today we’re introducing updates to this program to further incentivize research with the highest impact, including new scenario awards up to $100,000. We’re also announcing procedural updates for more seamless integration with researchers and faster Windows bounty awards for eligible research.
Scenario-based bounty awards – The Windows Insider Preview (WIP) bounty program now includes 5 new scenario-based awards for vulnerabilities that could put customer privacy and security at risk of exploitation. Rewards for these scenarios range from $20,000 to $100,000.
General bounty awards – While we are refocusing the WIP bounty program to defend and protect customers from these five high risk exploit scenarios, we continue to offer bounties for other valid vulnerability reports that do not qualify for scenario-based awards. These vulnerability reports are eligible to receive awards ranging from $500 and $5,000.
Submission updates for faster assessment and bounty review – To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report.
To further speed bounty review, we recommend using the MSRC Researcher Portal to report vulnerabilities to Microsoft. We’ve updated the portal user experience to streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions. If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report.
Please visit the Windows Insider Preview Bounty Program webpage
for complete details of the new awards and submission instructions.
A big Thank You to all of the security researchers that work with us to find and fix vulnerabilities that matter to Microsoft customers. We value your partnership and look forward to working with you in the coming year. If you have any questions regarding the Windows Insider Preview bounty program or any other security research incentive program, please contact us at bounty@microsoft.com.
Jarek Stanley, Senior Program Manager, MSRC