Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.
As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service (DoS) issues and $5,000 for remote code execution flaws.
However, there are now five attack scenarios that can earn researchers between $20,000 and $100,000. The maximum bounty is awarded for demonstrating a remote attack where an unauthenticated attacker achieves non-sandboxed arbitrary code execution without any user interaction.
Hackers can receive $50,000 if they show how a remote attacker could gain access to private user data (e.g. files, photos, or emails) with no user interaction, or through little user interaction, such as convincing the target to access a malicious website.
A $30,000 reward is being offered for a remote attack that leads to data destruction or a persistent DoS condition with no user interaction.
As for local attack vectors, Microsoft is prepared to pay up to $20,000 for a sandbox escape with little or no user interaction, and for access to private user data from a sandboxed process without any user interaction.
Microsoft also announced that it has made some changes that should lead to faster assessments and bounty reviews.
“To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report,” Jarek Stanley, senior program manager at MSRC, explained in a blog post.
“To further speed bounty review, we recommend using the MSRC Researcher Portal to report vulnerabilities to Microsoft. We’ve updated the portal user experience to streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions. If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report,” Stanley added.