Log in Register

Log in

Remember me?



Windows Bounty Program Offers Up to $250K Award Per Bug

In an attempt to make Windows 10 and Windows Server more secure, Microsoft turns to the wider security community and tempts them with very healthy cash rewards

Bug bounty programs are an extremely effective method of getting the larger security community involved in assisting to secure a piece of software application. In return for spending time attempting to break through the security of any given system, you can make some money and a bit of popularity.

Microsoft announced the Windows Bounty Program, challenging "good friends, hackers, and researchers" to break into any and all parts of Windows 10 and Windows Server.

Microsoft isn't really new to the bug bounty game. Mitigation Bypass Bounty and Bounty for Defense programs have been running since 2013, and a Microsoft Edge bounty has been in place since August 2016. The current bounties are actually more of a growth of what's already in place and includes the Windows Insider Preview, Windows Defender Application Guard, and Microsoft Hyper-V.

Rewards vary anywhere from $500 right up to $250,000 for the most severe Hyper-V bugs. Hyper-V is Microsoft's solution for running virtual machines and helps power the Azure cloud computing service, so you can see why Microsoft wants to identify and fix any vulnerabilities there rapidly. In order to make $250,000 you have to identify a vulnerability that certifies as Remote Code Execution, Information Disclosure, or a Denial of Service.

A great extra feature of this bounty program is the 10 percent reward. If a bug is reported that Microsoft already found internally, the first finder will still get 10 percent of the qualifying reward. So if they discovered a vulnerability worth $250,000, which Microsoft already knows about internally, they'll still get $25,000.

Taken as an entire, Microsoft is clearly extremely keen to guarantee its core products of Windows 10, Windows Server, the Edge web browser, and Windows Defender are as safe and secure as possible. And with the rate at which new dangers appear, it would be nearly impossible to keep up relying entirely on an internal security team at Microsoft.