Announcing the Windows Bounty Program

Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless.

In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.
Since 2012, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.

The overall program highlights:

Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty
The bounty program is sustained and will continue indefinitely at Microsoft’s discretion
Bounty payouts will range from $500 USD to $250,000 USD

If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)

All security bugs are important to us and we request you report all security bugs to [email protected] via Coordinated Vulnerability Disclosure (CVD) policy
For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog

The details of the targets and the focus area can be found in the table below:

Announcing the Windows Bounty Program

Source: Microsoft/Blog

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.