I’m very happy to announce another addition to the Microsoft Bounty Programs. Microsoft will be hosting a bounty for Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview builds.
This bounty continues our partnership with the security research community in working to secure our platforms, in pre-release stages of the development process. The Windows Insider program is built to help shape the future of Windows, and represents the latest in features, including new security features and mitigations. For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.
As the bounty programs are pushing forward into earlier releases of software, there may be more instances of a vulnerability being reported which Microsoft is already working to resolve. In the event this occurs, as recognition for the real effort put into finding these vulnerabilities, a payment of up to $1,500 USD will be made to the first external researcher who reports the issue.
To find out more about the Microsoft Edge Remote Code Execution Bounty, please visit https://aka.ms.BugBounty. The program highlights are:
- Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview
- Also, Includes Open Source sections of Chakra
- The bounty will run August 4, 2016 through May 15, 2017
- Bounty payouts will range from $500 USD to $15,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft , a payment will be made to the first finder at a maximum of $1,500 USD
- Vulnerabilities must be reproducible on the latest Windows Insider Preview (Slow track)
This new bounty will be in addition to our ongoing Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties are worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.
As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.
Start your fuzzers!