Microsoft has announced a bug bounty program for its new Chromium-based web browser Microsoft Edge which has been launched into beta recently. The program offers up to $30,000 to security researchers across the globe when they find and report bugs and vulnerabilities.
The rewards range from $1,000 to $30,0000, depending on the severity and impact of the vulnerability and quality of the submission. Also, don’t forget to read Microsoft bounty terms and conditions.
“The goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge which have a direct and demonstrable impact on the security of our customers,” said Microsoft.
With the next version of Microsoft Edge based on Chromium, the tech giant has introduced some unique features which “may be good places to start looking for Microsoft bounty eligible vulnerabilities.” These features include Internet Explorer (IE) mode, PlayReady DRM, Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD), and Application Guard.
If you have found vulnerabilities affecting Application Guard then the submission will be reviewed and awarded, if eligible, under Windows Defender Application Guard (WDAG) bounty program. Vulnerabilities resulting in escape from the WDAG container to the host are eligible for up to $30,000.
If your submission doesn’t qualify for bounty awards then don’t lose hope as it may still be eligible for public acknowledgment, if it leads to a vulnerability fix.
The company is offering rewards in various tiers considering security impact, report quality (high, medium, low), and severity (critical, important, moderate, and low). If the severity of the submission, in any case, is moderate or low then you are gonna get nothing but it may be eligible for public acknowledgment as mentioned.
As you already know, the highest is $30,000 and will be given to researchers who report bugs and vulnerabilities affecting the Elevation of Privilege (EoP) and WDAG container escape while submitting a report relating to Spoofing or Tempering could earn you between $1,000 to $6,000. If your report falls under Elevation of Privilege then you are eligible to earn between $5,000 to $15,000. Submission relating to Information Disclosure and Remote Code Execution, depending on the severity, will be rewarded anywhere between $1,000 and $10,000.
To be eligible for bounty awards, your vulnerability submission should meet some criteria listed by Microsoft here. Head over to MSRC submission portal and the bug submission guidelines to send your complete submission for review to Microsoft.
