X
Tech

Microsoft launches bug bounty for new Chromium Edge browser, with $30,000 top reward

But researchers will need to find a sandbox escape for Microsoft Edge Windows Defender Application Guard to get the top reward.
Written by Liam Tung, Contributing Writer

Google's nine-year-old Chromium bug bounty has paid researchers over $5 million in rewards. Now Microsoft is launching one for its Chromium-based Edge browser beta, targeting bugs that don't affect Google Chrome. 

And in line with Google's recent move to double top rewards under its program to $30,000, Microsoft will offer the same $30,000 top reward for the most critical bugs, which include a combined elevation of privilege flaw with a container escape from Windows Defender Application Guard. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Windows Defender Application Guard was originally only available for Edge based on Edge HTML, however in March Microsoft released the extension for Chrome and Firefox too

The technology lets admins set up a white list of trusted sites users can visit in Edge. URLs not on that list open in a Hyper-V sandboxed session of Edge, protecting the operating system from anything nasty that could be installed from the web. 

Microsoft says its Edge program for Edge Beta and Edge Dev channels is designed to "complement" Google's Chromium bug bounty

The company will only issue a reward for previously unreported vulnerabilities that are unique to Chromium-based Edge and that do not reproduce on the equivalent channel of Google Chrome. 

The new bug bounty will run alongside Microsoft's existing one for Edge that's based on its EdgeHTML engine, which currently offers a top reward of $15,000. 

Microsoft this week launched Chromium-based Edge beta for Windows 10, 7, 8/8.1 and macOS. It can be downloaded from the Edge Insider site and it's availability suggests the new Edge or 'Chredge' as some call it, could be soon generally available. However, as ZDNet's Microsoft watcher Mary Jo Foley notes, it probably won't arrive until very late this year or some time in 2020. 

Microsoft is assessing user feedback throughout its early releases of the Edge canary, developer and beta channels. Next month, the Edge canary channel will gain an option to block auto-playing video and audio.     

To be eligible for a reward in the Chromium-based Edge bounty, researchers must demonstrate the bug works on the latest version of Edge on fully patched versions of Windows or macOS. 

Microsoft will also evaluate submissions on the quality of reports, which must include a proof of concept exploit demonstrating the vulnerability works.

Editorial standards