Microsoft adds all of Windows - including Server - to extended bug bounty program

Posted July 27, 2017

If you find a bug in a popular application from a large company, there is a good chance that they offer a "bug bounty" program where you can report the issue and make a little bit of money for uncovering the flaw.

Now the company is going a step further with the launch of the Windows Bounty Programme, a bug bounty programme which specifically targets all current versions of the Windows operating system - including those in the Windows Insider beta-test programme - for the first time.

The bug bounty program "will continue indefinitely at Microsoft's discretion", the company added.

The Redmond, Wash. -based software giant said the Windows Bounty Program would cover all features of the Windows Insider Preview.

To ensure Windows 10 is secure and bug-free, Microsoft has announced a fresh round of Windows Bounty Programme that will reward the bug finders up to $250,000 if they are able to discover exploits in Microsoft's virtualisation software.

S. Africans stand in solidarity with Al-Aqsa Muslims
Turkey's president has called on Israel to remove metal detectors from the gates of a contested Jerusalem holy site. Nickolay Mladenov, the United Nations special coordinator for Israeli-Palestinian peace talks, called for calm.

The three other focus areas for the bounty program are mitigation bypass ($500 to $200,000 payout range), Windows Defender Application Guard ($500 to $30,000), and Microsoft Edge ($500 to $15,000).

- Any critical or important class remote code execution, elevation of privilege, or design flaws that compromise a customer's privacy and security will receive a bounty.

"Since 2012, we have launched multiple bounties for various Windows features", the MSRC blog entry said.

Second on the list of priorities is protecting Mitigation Bypass and Bounty for Defense.

In addition to the payouts for the first person to discover the bugs, Microsoft is also offering to pay out 10% of the corresponding reward to the first person to report any bugs that are discovered internally but have not been published yet. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.