Microsoft adds Windows bounty program that tops out at $250,000

Gaining remote code execution in Hyper-V will see researchers earn a quarter of a million dollars.
Written by Chris Duckett, Contributor

Microsoft has added to its suite of bug bounties by launching its Windows bounty program that targets security holes in its Windows 10 Insider Preview slow ring.

The highest payout of the program will be $250,000 for an "original and previously unreported" functioning exploit within Hyper-V that allows for remote code execution and impacts the hypervisor and host kernel. However, the exploit needs to work on the latest release of the Windows Insider Preview slow ring.

"If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission, then the submission is ineligible," Microsoft said in an explanatory note.

If a researcher reports an issue that is known to Microsoft and is the first external finder of the vulnerability, Microsoft said it will pay 10 percent of the highest amount due to them.

Remote code execution bugs found within a Windows Insider Preview, or the Edge web browser will gain up to $15,000, with privilege escalation, remote denial of service, and information disclosure exploits paid on a sliding scale down to $500.

In March, Microsoft launched its Office Insider Builds bug bounty program, for which researchers could earn up to $15,000 in the normal course of the program, with "certain submissions" able to gain in excess of $15,000. The program closed on June 15.

At the same time, Intel launched its first bug bounty program, with the chip giant promising to part with $7,500 for critical software bugs, $10,000 for critical firmware bugs, and up to $30,000 for each critical Intel hardware bug disclosed to the company.

Earlier this week, the Tor Project started a bounty program, with researchers able to gain up to $4,000 per report.

Editorial standards