Biz & IT —

Microsoft expands bug bounty program to cover any Windows flaw

Now every part of Windows is covered by a bug bounty scheme.

Some bugs aren't worth very much cash.
Some bugs aren't worth very much cash.

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty programs, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, Microsoft was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft's bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows' wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time-limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the Edge bounty program was made an ongoing scheme no longer tied to any particular timeframe.

The bounty scheme announced today does not replace those focus areas. Edge, the Windows mitigation techniques, Hyper-V, and Windows Defender App Guard all have their own focused bounty schemes. Rather, it acts as a catch-all for the rest of Windows. A researcher finding and reporting a remote code execution flaw in Windows with a high quality proof of concept can find themselves eligible for a $15,000 payout. Elevation of privilege can yield $10,000, and even information disclosure, denial of service, and spoofing can produce rewards of up to $5,000.

The targeted schemes can be more lucrative. A full exploit for Hyper-V that enables a malicious or attacker controlled virtual machine to cause the hypervisor itself to execute arbitrary code will produce a payout of up to $250,000. An exploit that can bypass the full range of exploit mitigation techniques can earn up to $100,000.

Channel Ars Technica