Microsoft launches Xbox bug bounty program with rewards of up to $20,000

Microsoft Security Response Center (MSRC) to start accepting vulnerabilities in Xbox gaming platform.

Xbox controller

Image: Joshua Oluwagbemiga

Microsoft announced today the launch of an official bug bounty program for the Xbox gaming platform.

Starting today, Microsoft says it will pay from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services.

Microsoft said anyone can submit vulnerabilities to the new Xbox bug bounty program, regardless if they're gamers or trained security experts.

According to Chloé Brown, Program Manager at the Microsoft Security Response Center (MSRC), eligible submissions must include "a clear and concise proof of concept (POC)."

The POC will be needed to demonstrate the bug's impact and allow the Xbox team to reproduce the vulnerability before fixing the reported issue.

"Bounties will be awarded at Microsoft's discretion based on the severity and impact of the vulnerability and the quality of the submission," the program's rules state.

The bug bounty program will cover the Xbox Live cloud backend infrastructure. Rewards will be given out for bug reports based on the table below:

xbox-bug-bounty.png

The Xbox bug bounty, however, also comes with some restrictions. For example, Microsoft prohibits and automatically disqualifies bug hunters who attempt to phish or social engineer Xbox users and engineers, move laterally inside the Xbox network beyond the minimally needed access to prove a vulnerability's impact, or bug hunters who download or access sensitive Xbox user data.

The Xbox platform has been around since 2012. Even if Microsoft has been one of the first tech companies to run a bug bounty program, Xbox was never included in this program.

Until today, Microsoft has paid bug hunters for vulnerability reports in products such as the Windows operating system, the Office suite, the IE and Edge web browsers, Microsoft vast array of cloud services, the Hyper-V hypervisor technology, and the ElectionGuard open-source voting software.