Microsoft Bug Bounty Programs FAQ
Want to get paid to find bugs? Read on...
What are the official terms for Microsoft’s bounty programs?
Where can I get the version of Microsoft’s platform that is in scope for Mitigation Bypass bounties?
Download the latest version of Windows here.
How long will these programs run?
The Mitigation Bypass Bounty, BlueHat Bonus for Defense, and Online Services Bounty Programs will run indefinitely, at Microsoft’s discretion.
Is product [x] in scope for the bounty programs?
Please read the above terms to understand what is currently in scope for Microsoft’s bounty programs. The increased scope of the Bounty Program will be announced on the BlueHat Blog and on www.microsoft.com/bountyprograms.
Can I get a list of mitigation bypasses/defensive ideas or services bugs, so I don’t enter something you don’t already know about?
We cannot provide a list of ideas or bugs we have evaluated.
Is there an age limit for participants?
Researchers 14 years of age or older may submit bypasses, defense ideas or bugs to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s consent prior to participating in this program. Please see the program terms here for full information on eligibility.
Questions about the past and future of Microsoft bounty programs
When are you going to add a bounty for [x]?
We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.
I submitted a vulnerability before you had bounties. Can I get paid?
We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from acknowledgement in a Microsoft bulletin to invitations to events like the Researcher Appreciation Party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.
What was that Internet Explorer bounty all about?
The Internet Explorer 11 Preview bounty is now closed. It was active from June 26, 2013 - July 26, 2013. For a historical look at the Internet Explorer 11 Preview bounty terms, please see details here. To see a list of researchers who have participated in our bounty programs, see our hall of fame here.
What’s the buzz about the Online Services Bug Bounty?
As of September 23, 2014, Microsoft started giving out bug bounties on submissions for select Online Services properties. See our full announcement here.
Online Services Bounty
What is the Microsoft Online Services Bug Bounty?
The Online Services Bounty gives individuals across the globe an opportunity to submit vulnerability reports on eligible Online Services provided by Microsoft. Qualified submissions are eligible for a minimum payment of $500 USD. Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability
Is there an age limit for participants?
Researchers 14 years of age or older may submit bypasses, defense ideas or bugs to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s permission prior to participating in this program. Please see the program terms here for full information on eligibility.
What are the terms for the Online Services Bug Bounty?
Please see complete program terms here
Where can I setup a test account for Microsoft’s Online Services Bounties?
Different Online Services may have different ways to create free accounts. For Office 365, you can set up a trial tenant and account here. In all cases, where possible, include the string “MSOBB” in your account name and\or tenant name in order to identify a tenant as being in use for testing as part of the bug bounty program.
Which online services are eligible for a Bounty?
Online Services in scope for the bounty are listed by domain. Please visit this page to determine which services are eligible, and other terms around scope.
What types of reports qualify for an Online Services Bounty?
What if I find a vulnerability in a non-eligible service?
You will receive credit for any verified vulnerabilities you report, following our Coordinated Vulnerability Disclosure practices, to email@example.com but non-eligible services will not receive a bounty payment.
When will you make other Microsoft Services eligible for a Bounty?
We are constantly evaluating products and services for bounty programs, however, we do not give any timelines on if or when we might add additional services.
Mitigation Bypass Bounty
What’s a mitigation bypass?
A mitigation bypass technique is designed to circumvent protections that are built in to operating systems. For example, the Return Oriented Programming (ROP) technique is used by some attackers against the DEP (Data Execution Prevention) mitigation. Multiple known and unknown vulnerabilities can be used to develop a new Mitigation Bypass technique
What’s the Mitigation Bypass Bounty?
The Mitigation Bypass Bounty Program asks participants to submit truly novel mitigation bypass techniques that target our latest Windows platform. Qualified mitigation bypass submissions are eligible for payment of up to $100,000 USD, based on the quality and complexity of the bypass technique.
How will these techniques be addressed in Windows?
Microsoft takes this bounty program extremely seriously and looks forward to acting on the resulting research to help protect our customers as quickly and effectively as possible.
What’s the news I heard about in November 2013 regarding the expansion of the Mitigation Bypass Bounty?
As of November 4, 2013, Microsoft started accepting submissions for bounty consideration from those who discover new mitigation bypass techniques being used in active attacks. This requires pre-registration through firstname.lastname@example.org. See our full announcement here .
How do I know if I should Pre-Register?
If you are submitting your own mitigation bypass idea that you invented, then you will not pre-register. Simply send it to email@example.com. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email firstname.lastname@example.org to get started. Please see complete program terms here.
Are there additional requirements for an organization to participate?
Yes, your organization will be required to complete a pre-registration process in order to participate in the program. Please email email@example.com for complete details.
Is there a difference in submission requirements?
The submission requirements are similar – Invent or find a new mitigation bypass technique and then send Proof-of-Concept exploit code and a technical whitepaper explaining the new technique in detail. For individuals submitting his or her own mitigation bypass idea that he or she invented, send to firstname.lastname@example.org. For individuals or organizations submitting a mitigation bypass technique that they found, they will need to pre-register at email@example.com. Please see complete program terms here.
Will reported bugs that affect previous versions of Windows be fixed?
We will gladly accept reports of vulnerabilities that do not meet our bug bounty terms. Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at firstname.lastname@example.org.
What’s in scope?
We will gladly accept and pay for validated, truly novel mitigation bypass techniques that are effective against our latest publicly available platform—as of the program’s June 26, 2013, launch date. Please see complete program terms here.
I found a vulnerability, but it doesn’t meet the terms. Is Microsoft still interested?
Yes! Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at email@example.com.
BlueHat Defense Bonus
What is the BlueHat Bonus for Defense?
The BlueHat Bonus for Defense allows security researchers to submit a technical white paper to describe a defensive idea that could effectively block a mitigation bypass technique. Qualifying defense submissions will receive up to $50,000 USD, depending on the quality and uniqueness of the defense idea.
Are Enhanced Mitigation Experience Toolkit (EMET) bypasses in scope?
No. Bypasses that work against the default configurations of our products are significantly more useful to attackers considering the size of the affected population. EMET has some known limitations, and is designed as a defense in depth measure to break some known exploitation techniques in common use by attackers.
Can I submit a defense against someone else’s mitigation bypass technique?
Yes, if the defense submission qualifies as being new and practical as defined in the terms, we will award up to $50,000 USD for a defense that can block existing mitigation bypasses.
What are the terms for the Mitigation Bypass Bounty and BlueHat Bonus for Defense Program?
Please see complete program terms here.
About the Program