Microsoft’s Jason Shirk from the MSRC Team reports that the company has added another bounty program to its roster for bug hunters. This one targets possible remote code execution vulnerabilities within the version of Microsoft Edge that’s served up to participants in the Windows Insider program. For consumers, that means a good chunk of vulnerabilities will have already been tracked down and patched before a new version of the browser is released to the masses.
“This bounty continues our partnership with the security research community in working to secure our platforms, in pre-release stages of the development process,” Shirk writes. “The Windows Insider program is built to help shape the future of Windows, and represents the latest in features, including new security features and mitigations.”
The new Microsoft Edge bounty began on August 4, 2016, and will conclude on May 15, 2017. Bug hunters will be paid handsomely for their research, earning between $500 and $15,000. However, if they come across a qualifying vulnerability that was found internally by Microsoft, then the company will offer up to $1,500 for the first “external” individual who submits a report.
Additionally, all vulnerabilities uncovered by researchers must be reproducible on the latest version of Windows 10 in the Windows Insider program “slow ring.” For the uninitiated, the Windows Insider program is broken down into “fast,” “slow,” and “Release Preview” rings, with the first group getting builds as they’re completed, the second group receiving slightly more polished and stable builds at a slower rate, and the third group enjoying new features with little or no risk to their devices.
The new Microsoft Edge bounty joins a number of other programs Microsoft currently offers to researchers, including the Online Services Bug Bounty, the Nano Server Technical Preview Bug Bounty, the .NET Core and ASP.NET Core RC2 Bug Bounty, the Mitigation Bypass Bounty, and the Bounty for Defense program.
Previously, there was a Microsoft Edge Technical Preview Bug Bounty that began April 22, 2015, and ended on June 22, 2015. According to the listing, Microsoft paid between $1,500 and $15,000 for Remote Code Execution vulnerability discoveries, and for finding a Sandbox Escape vulnerability with Enhanced Protected Mode. Between $1,500 and $6,000 was paid for higher severity vulnerabilities in the browser or EdgeHTML, and a mere $500 was paid for ASLR Info Disclosure vulnerabilities in Edge or EdgeHTML.
“Our new bounty programs add expanded depth and flexibility to our existing community outreach programs,” states Microsoft. “Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.”
Right now, the new Microsoft Edge bounty doesn’t appear on the Microsoft Bounty Programs website. Four of the bounties listed above are ongoing whereas the .NET Core and ASP.NET Core RC2 bug bounty ends on September 7, 2016. If you fall under the “hacker” and “researcher” umbrella and want to earn some cash, take a look at what Microsoft is offering. You’ll be helping us all out and banking some nice green bills in the process.