Microsoft has announced an extension of the Edge bug bounty program, and this time it's indefinite. The company first released the program in April of 2015, before the launch of Windows 10, but shut it down shortly after. In August 2016, it brought it back, and in September it was expanded.
It's fair to say that some have seen this coming, and Microsoft has gained a lot of useful information so far. In a blog post on Wednesday, it revealed that it has paid out over $200,000 in bounties.
“This collaboration with the research community has resulted in significant improvements in Edge security and has allowed us to offer more proactive security for our customers,” said security program manager Akila Srinivasan.
Microsoft Edge Bug Bounty Program Rules
Despite the large financial investment, its worth noting that Microsoft doesn't just hand out money for any old bug. There are some caveats, and it only applies to certain security aspects. Here are the full details:
- “Any critical remote code execution or important design issue that compromises a customer's privacy and security will receive a bounty
- The bounty program is sustained and will continue indefinitely on Microsoft's discretion
- Bounty payouts will range from $500 USD to $15,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD
- Vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track)
- All security bugs are important to us and we request you report all Microsoft Edge browser security bugs to [email protected] via Coordinated Vulnerability Disclosure (CVD) policy”
While the $15,000 payouts will likely be reserved for only the most crucial bugs, this is still a nice incentive. Crowdfunding security often reveals exploits that are more outside the box, and should result in a safer experience for all users.