Skip to main content
Rate:  

 

Microsoft Bounty Programs

MS Bounty Programs Shield

Calling all Microsoft friends, hackers, and researchers! Do you want to help us protect customers, making some of our most popular products better… and earn money doing so? Step right up!

Microsoft offers direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.

Microsoft has championed many initiatives to advance security and to help protect our customers, including the Security Development Lifecycle (SDL) process and Coordinated Vulnerability Disclosure (CVD). We formed industry collaboration programs such as the Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR),and created the BlueHat Prize to encourage research into defensive technologies. Since June 2013, we’ve also offered bounties for certain classes of vulnerabilities reported to us. These bounty programs help Microsoft harness the collective intelligence and capabilities of security researchers to help protect customers. As you’ll see from the list below, several time-limited programs apply only to preview versions, so we can address the vulnerabilities before the final version is complete.

Take a look at the active programs below and review the program details at each link. If you have a vulnerability that might be a match for one of our bounty programs, please contact us at secure@microsoft.com with details.

Happy Hunting!

Microsoft Security Response Center

Active Bounty Programs for Windows

Program NameStart DateEnding DateEligible EntriesBounty range
Windows Insider PreviewJuly 26, 2017OngoingCritical and important vulnerabilities in Windows Insider Preview slowUp to $15,000 USD
Windows Defender Application GuardJuly 26, 2017OngoingCritical vulnerabilities in Windows Defender Application Guard in WIP slowUp to $30,000 USD
Microsoft Hyper-V Bounty ProgramMay 31, 2017OngoingCritical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-VUp to $250,000 USD
Microsoft Edge on Windows Insider PreviewAugust 4, 2016OngoingCritical remote code execution and design issues in Microsoft Edge in Windows Insider Preview slowUp to $15,000 USD
Mitigation Bypass BountyJune 26, 2013OngoingNovel exploitation techniques against protections built into the latest version of the Windows operating system.Up to $100,000 USD
Bounty for DefenseJune 26, 2013OngoingDefensive ideas that accompany a qualifying Mitigation Bypass submissionUp to $100,000 (in addition to any applicable Mitigation Bypass Bounty)

Active Bounty Programs for .NET and Cloud

Program NameStart DateEnding DateEligible EntriesBounty range
Microsoft .NET Core and ASP.NET Core Bug Bounty ProgramSeptember 1, 2016OngoingVulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)Up to $15,000 USD
Microsoft Cloud BountySeptember 23, 2014OngoingVulnerability reports on applicable Microsoft cloud servicesUp to $15,000 USD

Closed Bounty Programs

Program NameStart DateEnding DateEligible EntriesBounty range
Microsoft Office Bounty ProgramMarch 15, 2017June 15, 2017Vulnerabilities on Office Insider
TIME LIMITED.
Up to $15,000 USD
.NET Core and ASP.NET Core RC2 Bug BountyJune 7, 2016September 7, 2016This successor to the previous CoreCLR and ASP.NET 5 beta bounty program applies to .NET Core, ASP.NET Core RC2 and any subsequent Release Candidates during the bounty period, or the final RTM version if released within the bounty period. TIME LIMITED.Up to $15,000 USD
Nano Server Technical Preview BountyApril 27, 2016July 27, 2016Critical and Important vulnerabilities that affect Nano Server Technical Preview.Up to $15,000 USD
CoreCLR and ASP. NET 5 Technical Preview BountyOctober 20, 2015January 20, 2016NET core runtime, called CoreCLR and the beta versions of ASP.NET.Up to $15,000 USD
Microsoft Edge Technical Preview Bug BountyApril 22, 2015June 22, 2015Critical and important vulnerabilities that affect Project Spartan (latest browser in Windows Technical Preview).Up to $15,000 USD
Internet Explorer 11 Preview Bug BountyJune 26, 2013July 26, 2013Critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows.Up to $11,000 USD

MSRC Blog

SRD Blog