Microsoft Bug Bounty Program: How Does 30K Sound to You?

Reading Time: 3 minutes

Most people have claimed a reward of some type at some point in their lives. Return someone’s smartphone to them, for example, and they’ll probably think your honesty in returning it is worth $50 at least. Or maybe you return someone’s precious pet to them and get a whole lot more than that for your effort or, more likely, good fortune in having it cross your path or end up in your backyard. But what if there was up 30K in reward money to be had?

Well, up to that amount is what software development mega-giant Microsoft is offering anyone who can find flaws in their newest Chromium-based Edge browser. Now the likelihood of most people – myself included – even having the ability to do that is pretty slim, but for those who are web development savvy it’s definitely something worth taking note of.

Now to be sure, just as it would be for any Canadian web hosting provider we’ve got some talented people on staff who do have the wherewithal required for something like this. They’re aware, and now you are too so let’s get into discussing what exactly all this is about and whether or not this would be not just easy money, but a LOT of easy money.

Beta Stage Bonuses

Microsoft recently released the beta version of its Chromium-based Edge and then introduced the Insider Bounty Program along with it. As mentioned, there’s apparently up to $30,000 to be had for those who find out unique vulnerabilities in this beta version of their new browser.

Yes, that’s what you can do when you have deep pockets to this extent. You’d have to find a thousand+ lost phones and pets to come even close!

To clarify though, 30K is only available if you find a flaw that is a vulnerability that leads to escape from the WDAG container. The majority of would-be rewards included in the Microsoft Edge Insider Bounty Program are in the range of $1,000 to $3,000, depending upon the bug’s severity and – take note – the quality of the submission (see thoroughness – less work for them = more $ for you).

Quality Control & Then Some

Microsoft has stated that the goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to dig up vulnerabilities that are unique to the next Microsoft Edge and have the potential for a direct and demonstrable impact on the security of their customers. Quite admirable, and not out of the ordinary for software developers in as far as the aim itself is concerned.

Attaching big money $ to that, however, is out of the ordinary.

It is true that Microsoft has a lot riding on the success and widespread adoption of it’s new Edge browser, particularly given the success of Google Chrome that the current Edge is very much playing second fiddle to.

It is reported to have features unique to Chromium Edge like Internet Explorer mode, PlayReady DRM, Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD), Application Guard and a few others.

Growth of the Bug-Finder Business

Turns out discovering unique bugs on the latest version of Edge can be a big business. As mentioned, Microsoft will issue rewards in various tiers, and these are the ones:

  • Spoofing and tampering related security impact – between $1,000 to $6,000, depending on the quality of the report
  • Information Disclosure and Remote Code Execution (RCE) can get you between $1,000 to $10,000 depending upon the severity of the report
  • Vulnerability resulting from Elevation of Privilege (EoP) will get you between $5,000 to $15,000
  • And again, the biggie – 30K for vulnerability resulting in escape from the WDAG container to the host

As you’d expect, there are Terms and Conditions for participating in the Microsoft Bug Bounty Program. The report submission must also include tangible proof, and have sufficiently demonstrated the vulnerability exploitation and the potential impact it might have on users.

Know your stuff? Scour over the Beta of Microsoft’s newest edge and see if you can earn the largest reward you’re likely to ever receive in your life!