Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview (WIP) Bounty Program, with a top bounty of $100,000.
As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service (DoS) issues and $5,000 for remote code execution flaws.
However, there are now five attack scenarios that can earn researchers between $20,000 and $100,000. The maximum bounty is awarded for demonstrating a remote attack where an unauthenticated attacker achieves non-sandboxed arbitrary code execution without any user interaction.
Hackers can receive $50,000 if they show how a remote attacker could gain access to private user data (e.g. files, photos, or emails) with no user interaction, or through little user interaction, such as convincing the target to access a malicious website.
A $30,000 reward is being offered for a remote attack that leads to data destruction or a persistent DoS condition with no user interaction.
As for local attack vectors, Microsoft is prepared to pay up to $20,000 for a sandbox escape with little or no user interaction, and for access to private user data from a sandboxed process without any user interaction.
Microsoft also announced that it has made some changes that should lead to faster assessments and bounty reviews.
“To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report,” Jarek Stanley, senior program manager at MSRC, explained in a blog post.
“To further speed bounty review, we recommend using the MSRC Researcher Portal to report vulnerabilities to Microsoft. We’ve updated the portal user experience to streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions. If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report,” Stanley added.
Related: Hackers Can Earn $20,000 for Xbox Vulnerabilities
Related: Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere
Related: Microsoft Offers Up to $30,000 for Flaws in Chromium-Based Edge
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
