Microsoft has announced the Xbox Bounty Program to encourage security researchers to find holes in the console’s security. In particular, the focus is on the underlying network services, Xbox Live, which also spans to some PC and xCloud titles.

The effort comes ahead of the launch of its next-gen console, the Xbox Series X. Any fixes in the near future will affect the Xbox 360, Xbox One, and Xbox One X, but improvements to the underlying infrastructure will help all releases going forward.

Find a vulnerability that has “a direct and demonstratable impact” on customer security, and you could net $20,000. Admittedly, you could also receive $500, but it all depends on the severity of the bug.

As you’d expect, Remote Code Execution (RCE) flaws are Microsoft’s top priority. Any serious vulnerability in this category could seriously impact the safety of customers, with the top reward for critical bugs and up to $15,000 for bugs deemed ‘Important’.

Security Impact Report Quality Severity
Critical Important
Remote Code Execution High

Medium

Low

$20,000

$15,000

$10,000

$15,000

$10,000

$5,000

Elevation of Privilege High

Medium

Low

$ 8,000

$ 4,000

$ 3,000

$5,000

$2,000

$1,000

Security Feature Bypass High

Medium

Low

N/A $5,000

$2,000

$1,000

Information Disclosure High

Medium

Low

N/A $5,000

$2,000

$1,000

 

Spoofing

High

Medium

Low

N/A $5,000

$2,000

$1,000

Tampering High

Medium

Low

N/A $5,000

$2,000

$1,000

Denial of Service High/Low Out of Scope

Even so, you won’t reach the top reward unless you provide the company with a high-quality report, and that doesn’t necessarily mean length. It wants clear and reproducible steps in a concise format.

Despite the program, there are some activities Microsoft prohibits. Attackers may not perform a Denial of Service (DoS) attack under any circumstances. This includes any automated testing that produces a significant amount of traffic. You’re also not allowed to gain access to any data that isn’t your own. Instead, you should create test accounts. In general, the guidelines say you shouldn’t go beyond the steps necessary to create a proof of concept.

You can find a full list of guidelines on the MRSC site.