Microsoft Edge technical preview (formerly known as Project Spartan) Bug Bounty Program Terms

PROGRAM DESCRIPTION:

Microsoft is pleased to announce the launch of a vulnerability bounty program for Microsoft-branded internet browsers shipping with Windows 10 technical preview. The program begins 22 April 2015, and ends 22 June 2015. For the duration of the program, individuals across the globe have the opportunity to submit vulnerabilities found in Microsoft-branded internet browsers shipping on our latest pre-release Windows platform. Qualified submissions are eligible for payment from a minimum of $500 USD to $15,000 USD, and bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft may pay more than $15,000 USD, depending on the entry quality and complexity.


AM I ELIGIBLE TO PARTICIPATE?:

You are eligible to participate in this program if:

  • you are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in this program;
  • you are an individual security researcher participating in your own individual capacity and
  • if you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.

WHO IS NOT ELIGIBLE TO PARTICIPATE?

  • A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria;
  • a current employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • a contingent staff member or vendor employee currently working with Microsoft;
  • a person involved in any part of the administration and execution of this program; or
  • an entity that isn’t an individual person—e.g., companies themselves cannot participate.

The decisions made by Microsoft are final and binding. Microsoft may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission. If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?:

Vulnerability submissions (“submissions”) provided to Microsoft must meet the following criteria to be eligible for payment:

  • Identify an original and previously unreported vulnerability in Microsoft-branded internet browsers shipping with Windows 10 technical preview. Examples include Remote Code Execution (RCE), Address Space Layout Randomization (ASLR) Information Disclosure Vulnerabilities, and Sandbox Escape Vulnerabilities.
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)

Microsoft may reject any submission, that it determines (in its sole discretion) does not meet these criteria.

HOW ARE PAYMENT AMOUNTS SET?:

The payment range for eligible submissions will be based upon the following:

Vulnerability type Proof of concept Functioning exploit Report Payout range
Remote Code Execution in Microsoft Edge technical preview required required High Quality Up to $15,000 USD*
required No High Quality Up to $6,000 USD*
required No Low Quality Up to $1,500 USD*
Sandbox Escape Vulnerability with Enhanced Protected Mode or in Microsoft Edge technical preview required required High Quality Up to $15,000 USD*
required No High Quality Up to $6,000 USD*
required No Low Quality Up to $1,500 USD*
Important or Higher Severity Vulnerability in Microsoft Edge technical preview or EdgeHTML.dll required Optional High Quality Up to $6,000 USD*
required No Low Quality Up to $1,500 USD*
ASLR Info Disclosure Vulnerability in Microsoft Edge technical preview or EdgeHTML.dll required n/a n/a $500 USD*
      <p>*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>Definitions:</strong>
      </p>
      <ul>
        <li>Address Space Layout Randomization (“ASLR”) Info Disclosure vulnerability <ul><li>A vulnerability that leads to reliable information about memory stack allocation performed by ASLR</li></ul></li>
        <li>Functioning exploit <ul><li>Expansion on the proof of concept that concretely demonstrates that remote code execution is possible, such as by forcing Microsoft Edge technical preview to execute a program of the attacker’s choosing (for example, calc.exe).</li></ul></li>
        <li>The exploit must bypass all relevant mitigations that are enabled by Microsoft Edge technical preview</li>
        <li>Important or higher severity vulnerability <ul><li>For example, a cross-domain (“Universal XSS”) bug that allows for inappropriate cookie/DOM access across security contexts within the browser.</li></ul></li>
        <li>Proof of concept <ul><li>The files and steps necessary to reliably reproduce the vulnerability.</li></ul></li>
        <li>Remote code execution <ul><li>A vulnerability in Microsoft Edge technical preview where an attacker has access to someone else's computing device and make changes, no matter where the device is geographically located.</li></ul></li>
        <li>Sandbox escape vulnerability <ul><li>A vulnerability in Microsoft Edge technical preview that allows the attacker to escape the Protected Mode (EPM) sandbox in Project Spartan (elevation of privilege), or escape from the app container used by Microsoft Edge technical preview.</li></ul></li>
      </ul>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?</strong>
      </p>
      <p>The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:</p>
      <ul>
        <li>Vulnerabilities in anything earlier than the current public technical preview of Windows 10 AKA “Threshold”</li>
        <li>Vulnerabilities in released versions of Internet Explorer ( &lt;= IE 11)</li>
        <li>Vulnerabilities in user-generated content</li>
        <li>Bugs requiring extensive or unlikely user actions</li>
      </ul>
      <p>We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>HOW DO I PROVIDE MY SUBMISSION?</strong>
      </p>
      <p>Send your complete submission to Microsoft at <a runat="server" href="mailto:secure@microsoft.com">secure@microsoft.com</a> using the <strong xmlns="https://www.w3.org/1999/xhtml">bug submission guidelines found <a runat="server" style="text-decoration:solid" href="https://technet.microsoft.com/en-us/security/ff852094.aspx">here</a>. We request you follow <a runat="server" style="text-decoration:solid" href="https://msdn.microsoft.com/en-us/library/dn467923(v=msdn.10)">Coordinated Vulnerability Disclosure</a></strong> when reporting all vulnerabilities. We are not responsible for submissions that we do not receive for any reason. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.</p>
      <p>If you provide us with an otherwise eligible submission, but do not follow <a runat="server" href="https://msdn.microsoft.com/en-us/library/dn467923(v=msdn.10)">Coordinated Vulnerability Disclosure</a>—for example, by publishing the vulnerability when or before you submit it under this program—then Microsoft may deem your submission to be ineligible under this program. We may also bar you from receiving compensation under future Microsoft Bounty programs.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>WHAT CONFIDENTIALITY OBLIGATIONS DO I TAKE ON BY PROVIDING MY SUBMISSION?</strong>
      </p>
      <p>If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Microsoft makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>I’VE SENT MY SUBMISSION. NOW WHAT?</strong>
      </p>
      <ul>
        <li>You will receive an email message stating that we have received your submission.</li>
        <li>Our engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.</li>
        <li>After your submission has been validated, you will be contacted to provide the necessary paperwork to process your payment.</li>
        <li>You will complete tax documentation paperwork. After we receive that paperwork and confirm that you are eligible to receive payment under this program, we will deem your submission to be qualified and process your bounty.</li>
      </ul>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>BOUNTY PAYMENTS:</strong>
      </p>
      <p>Bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft retains sole discretion in determining which submissions are qualified. Microsoft retains sole discretion in determining which submissions are qualified. The minimum bounty paid for a qualified submission is $500 USD up to a maximum of $15,000 USD. There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.</p>
      <p>If you do not wish to receive a bounty payment for your vulnerability submission, Microsoft will gladly work with you to donate the bounty to an approved charity. All individuals who have been awarded bounties will additionally be recognized on our <a runat="server" href="https://technet.microsoft.com/en-us/library/dn469163.aspx">Bounty Honor Roll</a> page.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>PRIVACY STATEMENT</strong>
      </p>
      <p>Please see the <a runat="server" href="https://msdn.microsoft.com/en-us/library/dn425050(v=msdn.10)">privacy statement</a> regarding this program.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>LEGAL NOTICE:</strong>
      </p>
      <p>It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the bug bounty programs. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving bounty payment(s). Government employees who want to participate are required to provide a letter from their employer’s ethics compliance officer confirming their ability to participate in this program. All payments will be made in compliance with local laws, regulations, and ethics rules. Microsoft disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.</p>
      <p>If we determine that your submission is qualified, Microsoft will notify you by sending a reply to your email submission. If the notification that we send is returned as undeliverable, or if you are otherwise unreachable for any reason, we may not provide payment.</p>
      <p>If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the program. Before receiving a bounty payment, you are required to sign an Affidavit of Eligibility (a formal statement that verifies your personal information), a Liability/Publicity Release (which provides permission for Microsoft to use your name and likeness without pursuing future claims), and a W-9 tax form or W-8 BEN tax form, all within 30 calendar days of notification of validation. If you want to remain anonymous to the public, we will honor your request, but we must know your legal name in order to pay you. If your submission is qualified and you are 14 or older but are considered a minor in your place of legal residence, we may require your parent or legal guardian to sign all required forms on your behalf. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until we have received the fully executed required documentation.</p>
      <p>If your submission is qualified, please note:</p>
      <ul>
        <li>you may not designate someone else as the bounty recipient unless you are considered a minor in your place of residence;</li>
        <li>if you are unable or unwilling to accept your bounty, we reserve the right to rescind it;</li>
        <li>if you accept a bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s); and</li>
        <li>if you are eligible for this program but are considered a minor in your place of residence, we may award the bounty payment to your parent/legal guardian on your behalf.</li>
      </ul>
      <p>Microsoft is not claiming any ownership rights to your submission. However, by providing your submission to Microsoft, you:</p>
      <ul>
        <li>grant Microsoft the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your submission: (i) to use, review, assess, test, and otherwise analyze your submission; (ii) to reproduce, modify, distribute, display and perform publically, and commercialize and create derivative works of your submission and all its content, in whole or in part, in connection with this program; and (iii) to feature your submission and all of its content in connection with the marketing, sale, or promotion of this program (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the submission in press releases) in all media (now known or later developed);</li>
        <li>agree to sign any documentation that may be required for us or our designees to make sure of the rights you granted above;</li>
        <li>understand and acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission, and you waive any claims you may have resulting from any similarities to your submission;</li>
        <li>understand that you qualify for a one-time payment for each qualified vulnerability and are not guaranteed any other compensation or credit for use of your submission; and</li>
        <li>represent that your submission is your own work and that you haven’t used information owned by another person or entity.</li>
      </ul>
      <p>This program is hosted in the United States, and submissions are collected on computers in the United States. This program will be governed by the laws of the State of Washington, and you consent to the exclusive jurisdiction and venue of the courts of the State of Washington for any disputes that arise out of this program.</p>
      <p>Microsoft thanks you for your participation.</p>
    </div>
  </div>
</td>
<td valign="top" style="width:25%;">
  <div>
    <ContentInclude Identifier="mt797755" runat="server" />
    <ContentInclude Identifier="mt797756" runat="server" />
    <div style="background-color: #eeeeee;  padding-top: 15px; padding-left: 18px;     padding-right: 18px; padding-bottom: 10px; margin-bottom: 1px; ">
      <p style="margin-bottom: 7px; color: #454545; font-size: 15px;">MSRC Blog</p>
    </div>
    <FeedViewerBasic RssUrl="https://blogs.technet.microsoft.com/msrc/feed/" IsDiscoverable="True" Layout="Featured" NumberOfItems="3" ShowDates="False" ShowAuthor="False" ItemSize="150" SortByDate="True" runat="server" ExternalGuid="ED0CDBC4-41D3-A225-7397-795C85B33FF2" />
    <div style="background-color: #eeeeee;  padding-top: 15px; padding-left: 18px;     padding-right: 18px; padding-bottom: 10px; margin-bottom: 1px; ">
      <p style="margin-bottom: 7px; color: #454545; font-size: 15px;">SRD Blog</p>
    </div>
    <FeedViewerBasic RssUrl="https://blogs.technet.microsoft.com/srd/feed/" Layout="Featured" ItemSize="150" NumberOfItems="3" SortByDate="True" ShowDates="False" ShowAuthor="False" IsDiscoverable="True" runat="server" ExternalGuid="E004634C-EE48-506D-B1F0-C87F9651380B" />
    <ContentInclude Identifier="mt797757" runat="server" />
  </div>
</td>