Skip to main content

Microsoft Hyper-V Bounty Program Terms

PROGRAM DESCRIPTION

Microsoft is pleased to broaden the scope of the Microsoft Hyper-V Bounty Program beginning May 31, 2017. Through this program, individuals across the globe have the opportunity to submit vulnerabilities in eligible product versions for Microsoft Hyper-V for payment of up to $150,000 USD. Microsoft will pay a bounty on three types of vulnerabilities: Remote Code Execution (RCE), Information Disclosure (ID) and Denial of Service (DOS). All bounties will be paid out at Microsoft’s discretion.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:

  • Identify an original and previously unreported vulnerability in eligible versions of Microsoft Hyper-V:
    • Hyper-V on Windows 10 (latest builds of Windows Insider Preview slow)
    • Hyper-V on Windows Server 2016 (latest available version)
    • Hyper-V on Windows Server 2012 R2
    • Hardware and firmware issues are not in scope
  • If you are submitting a vulnerability for Hyper-V on Windows 10, then the vulnerability must reproduce on the recent WIP slow builds to qualify for a bounty
    • If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission, then the submission is ineligible
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the WIP slow build number on which the vulnerability reproduces
  • Vulnerabilities that rely on an attacker having full control of a guest or that rely on a malicious operating system running in a guest are considered in scope
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission based on the criteria mentioned above
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission
  • The first external report received on an internally known issue will receive a maximum of 10% of the maximum payout ($15,000 for a Hyper-V escape (vulnerability and exploit), $1,500 for information disclosure or DOS)
  • A high-quality report requires a proof of concept, detailed write up and/or a whitepaper

Windows Containers are out of scope however, Hyper-V containers are in-scope. The difference between the two is outlined below.

  • Windows Server containers–multiple container instances can run concurrently on a host, with isolation provided through namespace, resource control, and process isolation technologies. Windows Server containers share the same kernel with the host, as well as each other.
  • Hyper-V containers–multiple container instances can run concurrently on a host; however, each container runs inside of a special virtual machine. This provides kernel level isolation between each Hyper-V container and the container host.

We have divided the scope into tiers to provide better clarity on the payment structure:

  • Tier 1 includes Hypervisor and Host Kernel
  • Tier 2 includes Virtual Machine worker process
  • Tier 3 includes the following Hyper-V components: Remotefx®, Legacy Network Adapter (Generation 1), Fibre Channel Adapter, GPU Paravirtualization

Remote Code Execution

An eligible submission includes a RCE vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor, escape from a guest virtual machine to the host, or escape from one guest virtual machine to another guest virtual machine.

Vulnerability TypeTierProof of conceptFunctioning ExploitReport QualityPayout range (USD)
RCETier 1RequiredYesHigh$150,000
NoHigh$100,000
NoLow$50,000
RCETier 2RequiredYesHigh$75,000
NoHigh$50,000
NoLow$25,000
RCETier 3RequiredYesHigh$20,000
NoHigh$15,000
NoLow$5,000

Denial of Service and Information Disclosure

The vulnerability should result in one of the following:

  • Crash the host machine, resulting in a denial of service condition
  • Cause a failure to start and stop VMs
  • Gain sensitive information from the host machine or another guest
Vulnerability TypeTierProof of conceptReport QualityPayout range (USD)
DOSTier 1RequiredHigh$15,000
Low$5,000
Info DisclosureTier 1RequiredHigh$25,000
Low$5,000
Tier 2RequiredHigh$15,000
Low$5,000

BOUNTY PROGRAM FREQUENTLY ASKED QUESTIONS AND PROGRAM REQUIREMENTS

It is your responsibility to comply with the Microsoft Bounty Program – Comprehensive Terms listed in the FAQ. Please see the Microsoft Bounty Program FAQ to get detailed instructions on:

  1. Reporting bugs to Microsoft
  2. Microsoft’s triage and payment process
  3. Eligibility criteria for participation
  4. Bounty payment policies
  5. Your confidentiality obligations
  6. Microsoft’s privacy statement and legal notice
  7. Other questions on the various Microsoft bounty programs
  8. Coordinated Vulnerability Disclosure

PRIVACY STATEMENT

Please see the privacy statement regarding this program.

LEGAL NOTICE

To get additional information on the Microsoft legal guidelines please go to the FAQ and scroll to 'Legal Notice'

Thank you for participating in the Microsoft Bug Bounty Program!

MSRC Blog

SRD Blog