Microsoft offers up to $20,000 in Xbox bug bounty
Microsoft is no stranger to using bug bounty programs to track down security problems and other issues with its software and services. Now the company has launched an Xbox bug bounty program, offering payouts of up to $20,000 to anyone finding vulnerabilities.
The particular aim of this bounty program is to find issues with the Xbox Live network and services. Microsoft says the amounts it will pay gamers and security researchers who report problems will depend on the severity and impact of the vulnerability, as well as the quality of the submission.
See also:
- Microsoft releases update to fix Explorer problems in Windows 10
- Most antivirus companies will continue to support Windows 7
- Today you can speak with Microsoft about the future of Windows and Office
The average gamer is unlikely to unearth issues with Xbox Live that will suddenly make them twenty grand richer. Microsoft is placing a strong emphasis on the quality of reporting, demonstration of a proof of concept, and so on.
Microsoft explains the bounty program:
The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.
Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.
Although Microsoft says that the lowest payout is $500, in an explanatory table, it shows the figure being $1,000:
| Security Impact
|
Report Quality
|
Severity | |||
| Critical | Important | Moderate | Low | ||
| Remote Code Execution | High | $20,000 | $15,000 | N/A | N/A |
| Medium | $15,000 | $10,000 | |||
| Low | $10,000 | $5,000 | |||
| Elevation of Privilege | High | $ 8,000 | $5,000 | $0 | N/A |
| Medium | $ 4,000 | $2,000 | |||
| Low | $ 3,000 | $1,000 | |||
| Security Feature Bypass | High | N/A | $5,000 | $0 | N/A |
| Medium | $2,000 | ||||
| Low | $1,000 | ||||
| Information Disclosure | High | N/A | $5,000 | $0 | $0 |
| Medium | $2,000 | ||||
| Low | $1,000 | ||||
| Spoofing | High | N/A | $5,000 | $0 | $0 |
| Medium | $2,000 | ||||
| Low | $1,000 | ||||
| Tampering | High | N/A | $5,000 | $0 | $0 |
| Medium | $2,000 | ||||
| Low | $1,000 | ||||
| Denial of Service | High/Low | Out of Scope | |||
It is interesting to see that things such as DoS vulnerabilities and critical severity security feature bypasses are not eligible for payments as part of this program.
Full details of the rules and eligibility for the bounty program can be found here.
Image credit: TheInnerProduct / Shutterstock