Microsoft’s Windows Bounty Program Offers Up To $250K To Sniff Out Windows 10 Bugs

Barring an unexpected change in strategy, Windows 10 is and will remain the last monolithic release of Windows. With that being the case, it is in Microsoft's best interest—as well as its customers—to ensure that it remains the most secure release. To help with that, Microsoft is upping the ante for bug hunters—certain exploits brought to Microsoft's attention are now worth as much as a quarter of a million dollars.

Imagine finding a bug in Windows 10, reporting it to Microsoft, and then be paid $250,000 for your discovery. That is now a possibility with Microsoft making Windows a 10 a permanent part of its bug bounty program and increasing monetary rewards. Previously only Windows Insiders were allowed to participate.

The payout table has been updated to reflect rewards of $500 to $250,000 for certain vulnerabilities, including $5,000 to $250,000 for ones that are focused on Hyper-V. Here are some other highlights from the program:
  • Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty
  • The bounty program is sustained and will continue indefinitely at Microsoft’s discretion
  • If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10 percent of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)
Microsoft breaks its payment range based on certain target areas. For qualifying bugs discovered in Windows Insider Preview builds or its Edge browser, Microsoft will pay anywhere from $500 to $15,000. Vulnerabilities in its Defender program are worth $500 to $30,000, while mitigation bypasses and defense ideas that would block and exploitation technique could pay researchers anywhere from $500 to $200,000.

"Since 2012, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities," Microsoft said.

Anyone wishing to participate should bookmark Microsoft's bug bounty page where the company keeps the most up-to-date information, including payment amounts and active areas of interest.