Skip to main content
  1. Home
  2. Gaming
  3. News

Microsoft offers up to $20,000 to identify security vulnerabilities in Xbox Live

By

When it comes to securing complex products, companies are increasingly turning to bug bounty programs to invite members of the public to find security vulnerabilities. Google’s bug bounty program handed out $6.5 million last year, and Apple recently expanded its program to cover macOS bugs as well as iOS bugs.

Now Microsoft is expanding its own bug bounty program from covering software like its Office suite and its Edge browser to also covering the Xbox Live network and services. The company will pay out rewards to anyone who can find and reproduce a security vulnerability in the Xbox Live system.

Recommended Videos

As announced in a Microsoft Security Response Center blog post, “The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”

Related

CVD is a policy in which researchers agree to disclose any vulnerabilities they find to the creators of the software (in this case, Microsoft) and allow the creators to manage further disclosure. Essentially, participants in the bug bounty program agree that they will turn over information about vulnerabilities to Microsoft and let Microsoft handle the closing of security loopholes and announcements to the public.

To register for the program, users must have an Xbox network account, and Microsoft recommends that they have access to an Xbox with an Xbox Game Pass or Xbox Gold as well. Once a user has identified a security vulnerability that can be reproduced in the latest, patched version of Xbox Live, they must report it in either written or video format.

Bounties range from $1,000 for a low-quality report of a vulnerability that allows tampering all the way up to $20,000 for a high-quality report of a critical vulnerability that enables remote code execution.

Denial of Service attacks are not part of the program and are prohibited, as are automated attacks that generate significant traffic. Social engineering attacks such as phishing are also not allowed.

More details about the details of the bug bounty program are available on the Microsoft website.

Editors’ Recommendations

Topics
Georgina Torbet
Georgina Torbet
Space Writer
Georgina has been the space writer at Digital Trends space writer for six years, covering human space exploration, planetary…
Microsoft beat the FTC. Here’s what the controversial court ruling means for Xbox
Xbox's logo used during the Extended Games Showcase

You’ve probably heard that the Federal Trade Commission (FTC) lost its case against Microsoft after an exciting and revelatory trial. On Tuesday, Judge Jacqueline Scott Corley denied FTC's motion for a preliminary injunction to block Microsoft’s acquisition of Activision Blizzard before its potential completion by July 18. Ultimately, Corley did not believe that Microsoft owning Call of Duty would “substantially lessen competition” in the game industry. It was major win for Microsoft after months of regulatory hoops and roadblocks, but the FTC quickly moved to appeal the decision. This all raises an important question: What’s next?

Over the next week, Microsoft, Activision Blizzard, and the FTC will determine the fate of the gaming companies involved in this acquisition and set a precedent for the future of the game industry. On top of that, Microsoft still has to deal with the next moves made by the U.K.'s Competition and Markets Authority (CMA), which wants to block the acquisition due to its impact on cloud gaming. Following the release of Judge Corley’s Preliminary Injunction Opinion, I spoke to two analysts and a lawyer with knowledge of the video game industry to better understand what lies ahead for Microsoft and Activision, the FTC, and the CMA. The battle isn't quite over yet, even if the end is finally on the horizon.
What’s next for Microsoft and Activision Blizzard
Currently, Microsoft and Activision are in a solid position, as a Judge has ruled that Microsoft is unlikely to pull Call of Duty from PlayStation or lessen competition in the game console, cloud gaming, or game subscription markets by acquiring Activision Blizzard. There’s a temporary restraining order in place until July 14, which the FTC hopes to successfully appeal during. As soon as that order is up, though, Microsoft and Activision Blizzard have until July 18 to complete the acquisition.

Read more
Microsoft wins FTC case, removing Xbox’s biggest Activision Blizzard acquisition hurdle
Characters shooting in Call of Duty: Modern Warfare 2.

Following a multi-week court case, Microsoft has won its battle with the Federal Trade Commission regarding its proposed Activision Blizzard acquisition. The ruling is a major win for Microsoft's troubled deal, clearing the biggest hurdle it faced.

Last January, Microsoft announced its intention to acquire Activision Blizzard for $69 billion. The blockbuster announcement immediately raised antitrust concerns, which resulted in the FTC filing a legal challenge in December 2022. Microsoft has not been able to proceed with the acquisition since then, as its faced similar scrutiny in the U.K.

Read more
Microsoft to pay $20M over Xbox child privacy violations
Microsoft signage at the Meridian Building (formerly CompuWare) in Detroit, Michigan.

Microsoft has agreed to pay $20 million to U.S. regulators for violating the Children's Online Privacy Protection Act (COPPA).

The breach involved the computer giant collecting and retaining personal information from children who set up an Xbox account prior to obtaining permission from their parents.

Read more