Microsoft has announced the Xbox Bounty Program to encourage security researchers to find holes in the console's security. In particular, the focus is on the underlying network services, Xbox Live, which also spans to some PC and xCloud titles.
The effort comes ahead of the launch of its next-gen console, the Xbox Series X. Any fixes in the near future will affect the Xbox 360, Xbox One, and Xbox One X, but improvements to the underlying infrastructure will help all releases going forward.
Find a vulnerability that has “a direct and demonstratable impact” on customer security, and you could net $20,000. Admittedly, you could also receive $500, but it all depends on the severity of the bug.
As you'd expect, Remote Code Execution (RCE) flaws are Microsoft's top priority. Any serious vulnerability in this category could seriously impact the safety of customers, with the top reward for critical bugs and up to $15,000 for bugs deemed ‘Important'.
Security Impact | Report Quality | Severity | |
Critical | Important | ||
Remote Code Execution | High
Medium Low |
$20,000
$15,000 $10,000 |
$15,000
$10,000 $5,000 |
Elevation of Privilege | High
Medium Low |
$ 8,000
$ 4,000 $ 3,000 |
$5,000
$2,000 $1,000 |
Security Feature Bypass | High
Medium Low |
N/A | $5,000
$2,000 $1,000 |
Information Disclosure | High
Medium Low |
N/A | $5,000
$2,000 $1,000 |
Spoofing |
High
Medium Low |
N/A | $5,000
$2,000 $1,000 |
Tampering | High
Medium Low |
N/A | $5,000
$2,000 $1,000 |
Denial of Service | High/Low | Out of Scope |
Even so, you won't reach the top reward unless you provide the company with a high-quality report, and that doesn't necessarily mean length. It wants clear and reproducible steps in a concise format.
Despite the program, there are some activities Microsoft prohibits. Attackers may not perform a Denial of Service (DoS) attack under any circumstances. This includes any automated testing that produces a significant amount of traffic. You're also not allowed to gain access to any data that isn't your own. Instead, you should create test accounts. In general, the guidelines say you shouldn't go beyond the steps necessary to create a proof of concept.
You can find a full list of guidelines on the MRSC site.