Microsoft’s bug bounty program for Edge traditionally focused on remote code execution vulnerabilities, but on Wednesday the company widened the bounty to include other security flaws.
Users will now get up to $15,000 for spotting vulnerabilities that lead to the violation of W3C standards, as well as RCEs.
Bug Bounty Details
Microsoft is now looking for the following vulnerabilities:
- “Same Origin Policy bypass vulnerabilities (example: UXSS)
- Referer Spoofing vulnerabilities
- Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview
- Vulnerabilities in open source sections of Chakra”
The bounty will begin on August 4th, and run all the way through to May of 2017. Payouts can be anywhere between $500 and $15,000, and you can still get up to $1,500 for bugs Microsoft has already found internally.
Payout varies depending on how severe the bug is.
Submitters must also adhere to the following criteria:
- “Identify an original and previously unreported vulnerability in the current Microsoft Edge on WIP slow.
- Include concise reproducibility steps that are easily understood.
- Include the WIP slow build number on which the vulnerability reproduces.”
The only other limitation is that the bugs need to be reproducible on the latest Slow Ring Insider Preview. They also need to be emailed to [email protected] to qualify for the reward.
“Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time,” says the company, adding that W3C exploits “compromise privacy and integrity of important user data.”
Other Bug Bounties
Eligible bugs in this program include bypasses of CSRF protection, Encoding, Data Protection failures, Information disclosures to a client, Authentication bypasses, and Remote Code Execution. This time, it applies to RTM versions, as well as beta and RC releases.