Security Experts:

Microsoft Adds Scenario-Based Rewards to Windows Insider Preview Bounty Program

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.

As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service (DoS) issues and $5,000 for remote code execution flaws.

However, there are now five attack scenarios that can earn researchers between $20,000 and $100,000. The maximum bounty is awarded for demonstrating a remote attack where an unauthenticated attacker achieves non-sandboxed arbitrary code execution without any user interaction.

Hackers can receive $50,000 if they show how a remote attacker could gain access to private user data (e.g. files, photos, or emails) with no user interaction, or through little user interaction, such as convincing the target to access a malicious website.

A $30,000 reward is being offered for a remote attack that leads to data destruction or a persistent DoS condition with no user interaction.

As for local attack vectors, Microsoft is prepared to pay up to $20,000 for a sandbox escape with little or no user interaction, and for access to private user data from a sandboxed process without any user interaction.

Microsoft also announced that it has made some changes that should lead to faster assessments and bounty reviews.

“To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report,” Jarek Stanley, senior program manager at MSRC, explained in a blog post.

“To further speed bounty review, we recommend using the MSRC Researcher Portal to report vulnerabilities to Microsoft. We’ve updated the portal user experience to streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions. If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report,” Stanley added.

Related: Hackers Can Earn $20,000 for Xbox Vulnerabilities

Related: Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Related: Microsoft Offers Up to $30,000 for Flaws in Chromium-Based Edge

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.