Frequently Asked Questions about Microsoft Bug Bounty Programs
This document answers frequently asked questions about bounty programs and explains the submission and confidentiality requirements of the programs.
The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission. If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.
HOW DO I SUBMIT A VULNERABILITY REPORT FOR BOUNTY?
WHAT HAPPENS AFTER I SUBMIT THE REPORT?
WHO IS ELIGIBLE TO PARTICIPATE?
You are eligible to participate in this program if all of the following are true:
WHO IS NOT ELIGIBLE TO PARTICIPATE?
ARE THERE ADDITIONAL REQUIREMENTS FOR AN ORGANIZATION TO PARTICIPATE IN THE MICROSOFT BOUNTY PROGRAMS?
Yes, an organization will be required to complete a pre-registration process in order to participate in the program. Please email email@example.com for complete details.
HOW DOES MICROSOFT DETERMINE BOUNTY PAYMENTS?
If you do not wish to receive a bounty payment for your vulnerability submission, Microsoft will gladly work with you to donate the bounty to an approved charity.
I SUBMITTED A VULNERABILITY BEFORE YOU HAD BOUNTIES. CAN I GET PAID?
We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from acknowledgement in a Microsoft bulletin to invitations to events like the Researcher Appreciation Party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.
WHAT CAN I DISCLOSE ABOUT A VULNERABILITY REPORT I SUBMITTED FOR BOUNTY AND WHEN CAN I DISCLOSE IT?
If you report a vulnerability, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Microsoft makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.
CAN I SUBMIT A VULNERABILITY WHEN I FIND IT AND A WORKING EXPLOIT LATER?
Yes. We want to know about a security vulnerability as soon as you’ve found it. We will award you the bounty for the vulnerability reported. If you give us the functioning exploit within 90 days of submitting the vulnerability, we will top it off and pay you the entire bounty amount. For example, if you submit a critical RCE you will receive $6,000 during the adjudication. When you submit the functioning exploit within 90 days, you will receive the additional $9,000.
WHEN ARE YOU GOING TO ADD A BOUNTY FOR [X]?
We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.
REGARDING MITIGATION BYPASS BOUNTIES HOW DO I KNOW IF I SHOULD PRE-REGISTER?
If you are submitting your own mitigation bypass idea that you invented, then you do not need to pre-register. Simply send it to firstname.lastname@example.org. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email email@example.com to get started. Please see complete program terms here.
CAN I SUBMIT A DEFENSE AGAINST SOMEONE ELSE’S MITIGATION BYPASS TECHNIQUE?
Yes, if the defense submission qualifies as being new and practical as defined in the terms, we will award up to $100,000 USD for a defense that can block existing mitigation bypasses. If you have a defensive technique and corresponding exploits to prove the technique works, you will be eligible for this program.
Please see the privacy statement regarding this program.
It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the bug bounty programs. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving bounty payment(s). Government employees who want to participate are required to provide a letter from their employer’s ethics compliance officer confirming their ability to participate in this program. All payments will be made in compliance with local laws, regulations, and ethics rules. Microsoft disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
If we determine that your submission is qualified, Microsoft will notify you by sending a reply to your email submission. If the notification that we send is returned as undeliverable, or if you are otherwise unreachable for any reason, we may not provide payment.
If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the program. Before receiving a bounty payment, you are required to sign an Affidavit of Eligibility (a formal statement that verifies your personal information), a Liability/Publicity Release (which provides permission for Microsoft to use your name and likeness without pursuing future claims), and a W-9 tax form or W-8 BEN tax form, all within 30 calendar days of notification of validation. If you want to remain anonymous to the public, we will honor your request, but we must know your legal name in order to pay you. If your submission is qualified and you are 14 or older but are considered a minor in your place of legal residence, we may require your parent or legal guardian to sign all required forms on your behalf. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until we have received the fully executed required documentation.
If your submission is qualified, please note:
Microsoft is not claiming any ownership rights to your submission. However, by providing your submission to Microsoft, you:
This program is hosted in the United States, and submissions are collected on computers in the United States. This program will be governed by the laws of the State of Washington, and you consent to the exclusive jurisdiction and venue of the courts of the State of Washington for any disputes that arise out of this program.
Thank you for participating in the Microsoft Bug Bounty Program!
Microsoft Bounty Program Navigation Bar