Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Microsoft Adds Scenario-Based Rewards to Windows Insider Preview Bounty Program

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.

As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service (DoS) issues and $5,000 for remote code execution flaws.

However, there are now five attack scenarios that can earn researchers between $20,000 and $100,000. The maximum bounty is awarded for demonstrating a remote attack where an unauthenticated attacker achieves non-sandboxed arbitrary code execution without any user interaction.

Hackers can receive $50,000 if they show how a remote attacker could gain access to private user data (e.g. files, photos, or emails) with no user interaction, or through little user interaction, such as convincing the target to access a malicious website.

A $30,000 reward is being offered for a remote attack that leads to data destruction or a persistent DoS condition with no user interaction.

As for local attack vectors, Microsoft is prepared to pay up to $20,000 for a sandbox escape with little or no user interaction, and for access to private user data from a sandboxed process without any user interaction.

Microsoft also announced that it has made some changes that should lead to faster assessments and bounty reviews.

“To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report,” Jarek Stanley, senior program manager at MSRC, explained in a blog post.

“To further speed bounty review, we recommend using the MSRC Researcher Portal to report vulnerabilities to Microsoft. We’ve updated the portal user experience to streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions. If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report,” Stanley added.

Related: Hackers Can Earn $20,000 for Xbox Vulnerabilities

Related: Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Related: Microsoft Offers Up to $30,000 for Flaws in Chromium-Based Edge

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.