Skip to main content

Microsoft Edge Web Platform on Windows Insider Preview Bug Bounty Program Terms

Updated on June 21, 2017

PROGRAM DESCRIPTION

Microsoft is pleased to announce the launch of the Microsoft Edge shipping with Windows 10 Insider Preview (WIP) security bounty program beginning August 4, 2016. For the duration of the program, individuals across the globe have the opportunity to submit vulnerabilities found in Microsoft Edge shipping on the latest Windows 10 Insider Preview slow ring. Windows 10 Insider preview updates are delivered to testers in different rings. For the bounty program, we request you submit bugs on the Windows Insider Preview slow ring. Check out https://insider.windows.com/ and https://insider.windows.com/Home/GetStarted for more information.

Qualified submissions are eligible for payment from a minimum of $500 USD to $15,000 USD, and bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft may pay more than $15,000 USD, depending on the entry quality and complexity.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:

  • Identify an original and previously unreported vulnerability in the current Microsoft Edge on WIP slow
  • The vulnerability has to reproduce on the recent WIP slow builds in order to qualify for a bounty
    • If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission then the submission is ineligible
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the WIP slow build number on which the vulnerability reproduces

Microsoft may reject any submission, that it determines (in its sole discretion) does not meet these criteria.

HOW ARE PAYMENT AMOUNTS SET?

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission based on the criteria mentioned above
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission
  • The first external report received on an internally known issue will receive a maximum of $1,500 USD

The payment range for eligible submissions will be based upon the following:

Vulnerability typeProof of
concept
Report QualityPayout range (USD) *
Remote Code
Execution in
Microsoft Edge on
recent builds of WIP
slow
RequiredHighUp to $15,000
RequiredLowUp to $1,500
We like to focus
on critical
and important bugs
to ensure bounty eligibility,
but a novel vulnerability
at a medium
severity rating
may also be eligible
for a bounty award.

RequiredHighUp to $6,000

This includes:

  • Violation of SoP,
    i.e. UXSS
  • Referrer spoofs
RequiredLowUp to $1,500

This does not include:

  • XSS, CSRF: report
    these to the web
    site owner
  • XSS filter bypass
   

*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity.

Definitions for Eligible Submissions:

  • Functioning exploit
    • Expansion on the proof of concept that concretely demonstrates that remote code execution is possible, such as by forcing Microsoft Edge technical preview to execute a program of the attacker’s choosing (for example, calc.exe).
  • The exploit must bypass all relevant mitigations that are enabled by Windows 10 Insider Preview slow ring
  • Proof of concept
    • The files and steps necessary to reliably reproduce the vulnerability.
  • Remote code execution
    • A vulnerability in Microsoft Edge WIP Slow where an attacker has access to someone else's computing device and make changes, no matter where the device is geographically located.

WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?

The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:

  • Vulnerabilities in anything earlier than the current WIP slow build
  • Vulnerabilities in any versions of Internet Explorer
  • Vulnerabilities in user-generated content
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities with Memory Garbage Collector (MemGC) turned off
  • Vulnerabilities found by disabling existing browser security features
  • Vulnerabilities in experimental features, such as those listed in about:flags

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

HOW DO I PROVIDE MY SUBMISSION?

Send your complete submission to Microsoft at secure@microsoft.com using the bug submission guidelines found here. We request you follow Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We are not responsible for submissions that we do not receive for any reason. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.

If you provide us with an otherwise eligible submission, but do not follow Coordinated Vulnerability Disclosure—for example, by publishing the vulnerability when or before you submit it under this program—then Microsoft may deem your submission to be ineligible under this program. We may also bar you from receiving compensation under future Microsoft Bounty programs.

WHAT CONFIDENTIALITY OBLIGATIONS DO I TAKE ON BY PROVIDING MY SUBMISSION?

If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Microsoft makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.Before presenting in a public forum or speaking with media, please reach out to secure@microsoft.com

I’VE SENT MY SUBMISSION. NOW WHAT?

  • You will receive an email message stating that we have received your submission.
  • Our engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.
  • After your submission has been validated, you will be contacted to provide the necessary paperwork to process your payment.
  • You will complete tax documentation paperwork. After we receive that paperwork and confirm that you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty.

BOUNTY PAYMENTS:

Bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft retains sole discretion in determining which submissions are qualified. Microsoft retains sole discretion in determining which submissions are qualified. The minimum bounty paid for a qualified submission is $500 USD up to a maximum of $15,000 USD (may increase subject to Microsoft’s discretion). There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for.

If you do not wish to receive a bounty payment for your vulnerability submission, Microsoft will gladly work with you to donate the bounty to an approved charity.

All individuals who have been awarded bounties will additionally be recognized on our Bounty Honor Roll page

WHO IS ELIGIBLE TO PARTICIPATE?

You are eligible to participate in this program if:

  • You are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in this program;
  • You are either an individual participating in your own capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this program;
  • You do not fall under any of the ineligibility criteria listed below under “WHO IS NOT ELIGIBLE TO PARTICIPATE?”

WHO IS NOT ELIGIBLE TO PARTICIPATE?

  • You are a resident of any of countries under U.S. sanctions, such as Cuba, Iran, North Korea, Sudan, Syria and regions of Crimea;
  • You are currently an employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • Within the six months prior to your submission you were an employee of Microsoft Corporation or a Microsoft subsidiary;
  • Within six months prior to your submission you performed services for Microsoft or a Microsoft subsidiary in an external staff capacity that required access to the Microsoft Corporate Network, such as agency temporary worker, vendor employees, business guest, or contractor; or
  • You currently perform services for Microsoft or a Microsoft subsidiary in an external staff capacity that requires access to the Microsoft Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor;
  • You are involved in any part of the administration and/or execution of this program.

The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission.If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.

BOUNTY PROGRAM FREQUENTLY ASKED QUESTIONS AND PROGRAM REQUIREMENTS

It is your responsibility to comply with the Microsoft Bounty Program – Comprehensive Terms listed in the FAQ. Please see the Microsoft Bounty Program FAQ to get detailed instructions on:

  1. Reporting bugs to Microsoft
  2. Microsoft’s triage and payment process
  3. Eligibility criteria for participation
  4. Bounty payment policies
  5. Your confidentiality obligations
  6. Microsoft’s privacy statement and legal notice
  7. Other questions on the various Microsoft bounty programs
  8. Coordinate Vulnerability Disclosure

PRIVACY STATEMENT

Please see the privacy statement regarding this program.

LEGAL NOTICE:

To get additional information on the Microsoft legal guidelines please go to the FAQ and scroll to 'Legal Notice'

Thank you for participating in the Microsoft Bug Bounty Program!

MSRC Blog

SRD Blog