Bug bounty systems are a tried-and-tested formula for finding bugs before they can see wider exploitation. It turns the practice of discovering flaws into a money-making endeavor, rather than the exploitation of them. Microsoft has seen much success with bounties for the Edge browser, and exploit-mitigation systems.
It’s now added an ongoing bounty offering of up to $15,000 for “critical and important vulnerabilities” discovered in the slow ring Windows Insider preview builds. This represents the most general bounty scheme that Microsoft has yet launched and opens the door to a wider range of exploits to be discovered.
As much as digging for bugs in Windows Insider builds would be a decent way to earn a living for a number of hackers, regardless of the color hat they wear, Microsoft’s older, more selective bounty systems are still far more lucrative. One key area Microsoft is looking to shore up is its virtual machine Hyper-V system. Find a flaw in that and Microsoft could reward you up to $250,000, whether it is for Windows 10, Server 2012 or a Windows Server Insider preview.
Problems found with the Windows Defender Application Guard come with a $30,000 bounty attached, whereas mitigation bypass bugs could net you as much as $100,000 if discovered. In total there are eight ongoing bug bounty schemes, some of which have been in operation for as long as four years.
The reward figures listed are the maximum, however, so most bugs will unlikely earn that much. The smallest payout for any category is $500, so don’t expect to retire if you find a singular flaw in a piece of Microsoft software. The potential is there, though, if your detection skills are strong enough.
You have time to find them too, as most crucially, the new bounties are not time-limited. While in the past the software giant often pushed for bugs to be found within a select time period to help clear up software before launch, with its new bounties it has them all listed as “ongoing,” with no stated plan for finalizing them.
