Vulnerabilities / Threats

2/6/2018
02:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Updates Payment, Criteria for Windows Bug Bounty

The Windows Insider Preview Bounty Program will award between $500 and $15,000 for eligible submissions.

Microsoft has updated the eligible submission criteria and payment tiers for its Windows Insider Preview bounty program, which first launched on July 26, 2017.

The program was created to find vulnerabilities that reproduce in versions of Windows released through the Windows Insider Preview (WIP) fast ring. Insiders test early releases of each OS update before the final release goes to the public, to eliminate bugs and security problems.

The typical payments for qualified submissions earn between $500 to $15,000 USD per bug. In an announcement on its latest update, Microsoft notes bounties are awarded at its discretion and higher payouts beyond $15,000 may be possible, depending on the quality and complexity of each entry.

Higher-quality reports lead to bigger payouts. The baseline reward for a remote code execution vulnerability ranges from $500 to $7,500, but a high-quality RCE report could earn up to $15,000 per bug. Similarly, the payout for a privilege escalation flaw ranges from $500 to $5,000 as a baseline sum, but up to $10,000 for a high-quality report.

Each submission must meet certain criteria to be eligible for payment. It must identify an original and unreported Critical or Important flaw in WIP Fast. The bug must reproduce in the version of WIP Fast being tested. Reports must have the vulnerability impact and attack vector.

A description of the problem, and the steps to reproduce it, must be easily understood to Microsoft engineers so they can patch. If a submission has all the info necessary for an engineer to reproduce, understand, and fix the problem - including a short write-up with background data, description, and proof-of-concept - it could earn more money.

Microsoft encourages any submissions describing security flaws in WIP Fast. It won't pay out for bugs in the Windows Store, Windows apps, firmware, third-party drivers, or third-party software in Windows. Vulnerabilities requiring "unlikely user actions" also don't count; neither do vulnerabilities that are known to Microsoft or require users to downgrade security settings.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...
CVE-2017-17311
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2017-17312
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2018-12115
PUBLISHED: 2018-08-21
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second...
CVE-2018-7166
PUBLISHED: 2018-08-21
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misint...