Skip to main content
Rate:  

 

Frequently Asked Questions about Microsoft Bug Bounty Programs

This document answers frequently asked questions about bounty programs and explains the submission and confidentiality requirements of the programs.

The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission. If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.

HOW DO I SUBMIT A VULNERABILITY REPORT FOR BOUNTY?

Send your complete submission to Microsoft (including instructions to reproduce the vulnerability) at secure@microsoft.com using the bug submission guidelines found here. Some important notes:

  • We request you follow Coordinated Vulnerability Disclosure(CVD) when reporting all vulnerabilities to Microsoft, as submissions that do not follow CVD may not be eligible for bounty and could disqualify you from future participating in bounty programs in the future.
  • Microsoft is not responsible for submissions that we do not receive for any reason.
  • Microsoft will exercise reasonable efforts to clarify indecipherable or incomplete submissions, but more complete submissions are often eligible for higher bounties (see program rate tables for details).
  • There are no restrictions on the number of qualified submissions an individual submitter can provide and potentially be paid bounty for.

WHAT HAPPENS AFTER I SUBMIT THE REPORT?

  1. You will receive an email stating that we have received your submission.
  2. Our engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.
  3. After your submission has been validated, we will contact you to provide the necessary paperwork to process your payment.
  4. You will complete tax documentation paperwork. After we receive that paperwork and confirm that you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty.
  5. We will recognize all individuals who have been awarded bounties on our Bounty Honor Roll page unless you explicitly ask us not to include your name here.

WHO IS ELIGIBLE TO PARTICIPATE?

You are eligible to participate in this program if all of the following are true:

  • You are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in this program;
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this program.
  • None of the criteria in the section “WHO IS NOT ELIGIBLE TO PARTICIPATE?” apply to you.

WHO IS NOT ELIGIBLE TO PARTICIPATE?

  • You are a resident of any countries under U.S. sanctions (see link for current sanctions list posted by the United States Treasury Department);
  • You are currently an employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • Within the six months prior to your submission you were an employee of Microsoft Corporation or a Microsoft subsidiary;
  • You currently (or within six months prior to your submission) perform services for Microsoft or a Microsoft subsidiary in an external staff capacity that requires access to the Microsoft Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor; or
  • You are involved in any part of the administration and/or execution of this program.

ARE THERE ADDITIONAL REQUIREMENTS FOR AN ORGANIZATION TO PARTICIPATE IN THE MICROSOFT BOUNTY PROGRAMS?

Yes, an organization will be required to complete a pre-registration process in order to participate in the program. Please email bounty@microsoft.com for complete details.

HOW DOES MICROSOFT DETERMINE BOUNTY PAYMENTS?

  • Microsoft retains sole discretion in determining which submissions are qualified, according to the rules of each program.
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission.
  • If a duplicate report provides new information that was previously unknown to Microsoft, we will award a differential to the person submitting the duplicate report.
  • The first external report received on an internally known issue will receive a maximum of $1,500 USD.

I SUBMITTED A VULNERABILITY BEFORE YOU HAD BOUNTIES. CAN I GET PAID?

We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from acknowledgement in a Microsoft bulletin to invitations to events like the Researcher Appreciation Party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.

WHAT CAN I DISCLOSE ABOUT A VULNERABILITY REPORT I SUBMITTED FOR BOUNTY AND WHEN CAN I DISCLOSE IT?

If you report a vulnerability, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Microsoft makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.

  • Please do not discuss the vulnerability in any form prior to Microsoft notifying you that it is fixed. (We may pay bounties before a vulnerability is fixed, so please wait for the confirmation that it is fixed) Disclosing a vulnerability before we notify you that it has been fixed may render you ineligible to participate in any bounty programs.
  • Please contact bounty@microsoft.com if you intend to discuss the vulnerability after it has been fixed. This includes blog posts, public presentations, whitepapers and other media.
  • To give people time to update, we generally recommend waiting for at least 30 days after your submission has been fixed by Microsoft before discussing it publicly.

CAN I SUBMIT A VULNERABILITY WHEN I FIND IT AND A WORKING EXPLOIT LATER?

Yes. We want to know about a security vulnerability as soon as you’ve found it. We will award you the bounty for the vulnerability reported. If you give us the functioning exploit within 90 days of submitting the vulnerability, we will top it off and pay you the entire bounty amount. For example, if you submit a critical RCE you will receive $6,000 during the adjudication. When you submit the functioning exploit within 90 days, you will receive the additional $9,000.

WHEN ARE YOU GOING TO ADD A BOUNTY FOR [X]?

We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.

REGARDING MITIGATION BYPASS BOUNTIES HOW DO I KNOW IF I SHOULD PRE-REGISTER?

If you are submitting your own mitigation bypass idea that you invented, then you do not need to pre-register. Simply send it to secure@microsoft.com. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email bounty@microsoft.com to get started. Please see complete program terms here.

CAN I SUBMIT A DEFENSE AGAINST SOMEONE ELSE’S MITIGATION BYPASS TECHNIQUE?

Yes, if the defense submission qualifies as being new and practical as defined in the terms, we will award up to $100,000 USD for a defense that can block existing mitigation bypasses. If you have a defensive technique and corresponding exploits to prove the technique works, you will be eligible for this program.

PRIVACY STATEMENT

Please see the privacy statement regarding this program.

MSRC Blog

SRD Blog