Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Microsoft Adds Scenario-Based Rewards to Windows Insider Preview Bounty Program

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.

As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service (DoS) issues and $5,000 for remote code execution flaws.

However, there are now five attack scenarios that can earn researchers between $20,000 and $100,000. The maximum bounty is awarded for demonstrating a remote attack where an unauthenticated attacker achieves non-sandboxed arbitrary code execution without any user interaction.

Hackers can receive $50,000 if they show how a remote attacker could gain access to private user data (e.g. files, photos, or emails) with no user interaction, or through little user interaction, such as convincing the target to access a malicious website.

A $30,000 reward is being offered for a remote attack that leads to data destruction or a persistent DoS condition with no user interaction.

As for local attack vectors, Microsoft is prepared to pay up to $20,000 for a sandbox escape with little or no user interaction, and for access to private user data from a sandboxed process without any user interaction.

Microsoft also announced that it has made some changes that should lead to faster assessments and bounty reviews.

“To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report,” Jarek Stanley, senior program manager at MSRC, explained in a blog post.

Advertisement. Scroll to continue reading.

“To further speed bounty review, we recommend using the MSRC Researcher Portal to report vulnerabilities to Microsoft. We’ve updated the portal user experience to streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions. If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report,” Stanley added.

Related: Hackers Can Earn $20,000 for Xbox Vulnerabilities

Related: Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Related: Microsoft Offers Up to $30,000 for Flaws in Chromium-Based Edge

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.