Microsoft Launches Windows Bug Bounty Program With Rewards Ranging From $500 To $250,000

Microsoft on Wednesday announced the Windows Bounty Program. Rewards start at a minimum of $500 and can go up to as high as $250,000. From a report: To be clear, Microsoft already offers many bug bounty programs. This is also not the first to target Windows features -- the company has launched many Windows-specific bounties for those starting in 2012. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company's program for testing Windows 10 preview builds. Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.

Okay Dokey

[fahrbot-bot]

I mailed in a Windows 10 Install DVD. When do I get my check for $250k?

Re:Okay Dokey

[bobbied]

Darn, you beat me to it... I used priority mail so maybe I get there first??

Re:Okay Dokey

[ma1wrbu5tr]

I wonder if this covers legacy OSes. I have Windows ME and Vista disks laying around here somewhere.

Don't get excited

[citylivin]

I thought I would be newly rich as my technet / microsoft forums account only exists to file all the monthly bugs i find in windows. But then i read its only certain types of bugs that are eligible:

"Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customerâ(TM)s privacy and security will receive a bounty"

oh well! I continue to do QA for free then i guess.

Re:Don't get excited

[mysidia]

Also, Microsoft has historically quite the reputation of downplaying discovered bugs with security impact or reclassifying as lower impact, Until an actual exploit is publicized that defeats all mitigations.

Doubt the bounty will help matters. Merely discovering a bug is not enough --- you're going to need to build the exploit to.

Once you have a RCE exploit, you could PROBABLY make a lot more than $250k selling that to the CIA, etc.

Re:Don't get excited

[mysidia]

But Windows is safe

“Will you walk into my parlour?” said the Spider to the Fly,

  'Tis the prettiest little parlour that ever you did spy;

    The way into my parlour is up a winding stair,

      And I've a many curious things to show when you are there.”

Edge

[sproketboy]

> Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.

Yeah but then I'd have to use Microsoft Edge.

Re:Edge

[bobbied]

Yea, but it's FASTER (according to M$'s PR campaign that comes up when you start Edge)... Well SURE it's faster, it doesn't support anything that would slow it down.

Re:They can't be serious!

[fisted]

If a vulnerability is found, how do you know who's ultimately responsible for it?

Yeah, didn't think so. So "there has been no government intelligence agency related "feature" ever discovered" is completely meaningless.

And whoever finds a bug in the Edge browser

[hcs_$reboot]

gets a 10 cents reward.

Re: They can't be serious!

[F.Ultra]

If we assume that NSA has such leverage over MS then that is propably a whole different section than the one doing this bounty program, remember that MS is a huge corporation.

Re:They can't be serious!

[fisted]

Do you have any proof that a government intelligence agency in cooperation with the software vendors have created purpose built exploitable security flaws?

No. Can this be proven? No, it's trivially plausibly deniable. Please learn basic reasoning and logic.

My point stands, your inital assertion is meaningless.

The real irony [blah blah]

So what does that have to do with anything?

Re:They can't be serious!

[fisted]

Your intelligence level [...]

Oh the irony.

your accusations

What exactly are "my accusations", my special friend? What I've done is pointing out that "there has been no government intelligence agency related "feature" ever discovered" is a meaningless statement. That is not remotely the same as me claiming there are in fact such backdoors; the difference is that I don't assume there aren't any, while you do, based on your meaningless statement. I'm repeating myself, but please get familiar with basic reasoning and logic.