HomeWinBuzzer NewsMicrosoft Will Pay You up to $20,000 If You Can Find an...

Microsoft Will Pay You up to $20,000 If You Can Find an Xbox Live Bug

Microsoft has opened the Xbox Bounty Program, which will net security researchers significant rewards for RCE, escalation of privilege, and other flaws in Xbox Live.

-

has announced the Xbox Bounty Program to encourage security researchers to find holes in the console's security. In particular, the focus is on the underlying network services, Xbox Live, which also spans to some PC and xCloud titles.

The effort comes ahead of the launch of its next-gen console, the Xbox Series X. Any fixes in the near future will affect the Xbox 360, Xbox One, and Xbox One X, but improvements to the underlying infrastructure will help all releases going forward.

Find a vulnerability that has “a direct and demonstratable impact” on customer security, and you could net $20,000. Admittedly, you could also receive $500, but it all depends on the severity of the bug.

As you'd expect, Remote Code Execution (RCE) flaws are Microsoft's top priority. Any serious vulnerability in this category could seriously impact the safety of customers, with the top reward for critical bugs and up to $15,000 for bugs deemed ‘Important'.

Security Impact Report Quality Severity
Critical Important
Remote Code Execution High

Medium

Low

$20,000

$15,000

$10,000

$15,000

$10,000

$5,000

Elevation of Privilege High

Medium

Low

$ 8,000

$ 4,000

$ 3,000

$5,000

$2,000

$1,000

Security Feature Bypass High

Medium

Low

N/A $5,000

$2,000

$1,000

Information Disclosure High

Medium

Low

N/A $5,000

$2,000

$1,000

 

Spoofing

High

Medium

Low

N/A $5,000

$2,000

$1,000

Tampering High

Medium

Low

N/A $5,000

$2,000

$1,000

Denial of Service High/Low Out of Scope

Even so, you won't reach the top reward unless you provide the company with a high-quality report, and that doesn't necessarily mean length. It wants clear and reproducible steps in a concise format.

Despite the program, there are some activities Microsoft prohibits. Attackers may not perform a Denial of Service (DoS) attack under any circumstances. This includes any automated testing that produces a significant amount of traffic. You're also not allowed to gain access to any data that isn't your own. Instead, you should create test accounts. In general, the guidelines say you shouldn't go beyond the steps necessary to create a proof of concept.

You can find a full list of guidelines on the MRSC site.

SourceMicrosoft
Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News

Mastodon