In brief: Microsoft has bug bounty programs for several of its products including Windows, Office, Azure and the chromium-powered Edge browser. The latest to join them is the Xbox Bounty Program, which invites gamers and security researchers from around the world to identify and report significant vulnerabilities in the company’s gaming platform.
For those interested in becoming part of the Xbox Bounty Program, the company is offering monetary awards ranging between $500 to $20,000 for identifying security vulnerabilities in its Xbox Live service.
As with other programs of this type, the prize money depends upon the severity and impact of the discovered vulnerability, with a possibility of going beyond the set amount on the basis of “report quality and vulnerability impact.”
According to the specifics laid out by Microsoft, bounty awards are only applicable in the case of finding “Important” and “Critical” vulnerabilities that enable remote code execution attacks, privilege escalation, bypassing security features, information disclosure, spoofing, and tampering. Vulnerabilities that are out of scope have also been listed.
For researchers whose discoveries do not qualify for a bounty award, Microsoft notes that their submissions could still receive recognition in the form of public acknowledgment, provided they lead to a vulnerability fix.
Those looking to enroll in the program need to sign up on the Xbox network and are encouraged to create multiple accounts for conducting research. The company notes that having an Xbox console at hand and/or access to one of its online subscriptions (Xbox Gold, Project xCloud, Xbox Game Pass, etc.) could be useful for testing, but isn’t required. Also, consoles or paid accounts won’t be provided to participants, in case anyone’s wondering.
Other details of the program highlight prohibited activities during testing, such as using a test account to access data of a legitimate customer, as well as social engineering them or a Microsoft employee for obtaining information. Findings can be reported to the MSRC Submission portal, and the company also mentions that all valid submissions will be included in the Researcher Recognition Program and leaderboard.