Microsoft creates new bug bounty program

Microsoft has created a new bounty program for developers who are looking for bugs within its software. The new program will detect remote code execution risks inside the Microsoft Edge version (found in the Windows Insider program). If a bug is detected, developers will be paid in sums ranging from US$500-15,000. If an insider finds a bug that was detected by Microsoft first, the company swears to pay them as much as US$1500.

Microsoft Insider is split into three sections. The first section sees the program in its original format, as it is immediately written. The second group receives a cleaner, more stable version. The last group is provided access to the completed, debugged version. Microsoft Insider is not the first program released by Microsoft where consumers can test its quality. Microsoft already deploys a wide selection of programs for security researchers to test. These include the Bounty of Defence program and the Online Services Bug Bounty.

The application of the bounty program

The previous Edge Technical Preview Bug Bounty took place last year between April and June. This resulted in Microsoft paying between US$1500-15,000 to experts who discovered RCE vulnerabilities. This April, Microsoft granted a $13,000 bug bounty to security researcher Jack Whitton, who identified a flaw in the programming.

According to Whitton, Microsoft’s authentication system was at risk to CSRF attacks. These allows hackers to gather login tokens, pretending to be the user. Microsoft explains that its bounty programs make sure “end customers are kept safe and protected”.


Edited from sources by Ruby Arenson