Microsoft Announces Windows Bounty Program

Written by

Microsoft announced a new Windows Bounty Program that will pay researchers up to $250,000 for finding and disclosing security vulnerabilities.

The bug bounty program will task researchers with focusing on a few key areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, Microsoft Edge, and all features made available via the Windows Insider Program. Payouts depend on where a vulnerability is found and how severe it is. A minor vulnerability in Edge pays $500; a critical vulnerability in Hyper-V can pay up to $250,000. That’s quite the range.

But that’s what it takes to learn about vulnerabilities as soon as possible. Some people disclose security problems simply because they want to make Windows users safer. Others hunt for vulnerabilities because that’s how they want to make a living. Companies like Microsoft have realized they can’t just rely on the first group’s altruism–they also have to offer financial incentives so they can appeal to the second group’s wallets.

That’s why everyone from Qualcomm and Netgear to the European Parliament and Fiat Chrysler have recently introduced or expanded bug bounty programs. The Windows Bounty Program is an expansion of Microsoft’s other efforts. Here’s what the company said in its announcement:

Since 2012, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.

Microsoft also offered a few highlights about the program, prime among them being the fact that “any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty.” It might not pay much, but you’ll get something. The company also pointed out that the Windows Bounty Program runs at its discretion and can end at any time.

Another thing to note is that Microsoft will pay out even if you report a vulnerability it has already discovered. The company said it will pay “a maximum of 10% of the highest amount” you would’ve received if the discovery was fresh. Again, that might not add up to much, but it’s clear Microsoft is trying to encourage researchers to disclose everything instead of sitting on vulnerabilities because they don’t know if they’re new.

You can learn more about Microsoft’s bug bounties, including the Windows Bounty Program, in the company’s Security Tech Center. Vulnerabilities can also be disclosed by emailing [email protected] The basics about the Windows Bounty Program’s payouts can be found below.

CategoryTargetsWindows VersionPayout Range (USD)
Focus AreaMicrosoft Hyper-VWindows 10

Windows Server 2012

Windows Server 2012 R2

Windows Server Insider Preview

$5,000-$250,000
Focus AreaMitigation bypass and Bounty for defenseWindows 10$500-$200,000
Focus AreaWindows Defender Application GuardWindows Insider Program (Slow Ring)$500-$30,000
Focus AreaMicrosoft EdgeWindows Insider Program (Slow Ring)$500-$15,000
BaseWindows Insider PreviewWindows Insider Program (Slow Ring)$500-$15,000
Article Tags:
Article Categories:
Gadgets

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.