Microsoft has expanded its existing bug bounty system to include all manner of Windows flaws if they are found within one of its slow ring Insider builds. Whether you find them in the base operating system itself, or any of its companion software pieces, you may now be able to claim a finder’s fee reward from Microsoft up to $15,000, Ars Technica reports
Bug bounty systems are a tried-and-tested formula for finding bugs before they can see wider exploitation. It turns the practice of discovering flaws into a money-making endeavor, rather than the exploitation of them. Microsoft has seen much success with bounties for the Edge browser, and exploit-mitigation systems.
It’s now added an ongoing bounty offering of up to $15,000 for “critical and important vulnerabilities” discovered in the slow ring Windows Insider preview builds. This represents the most general bounty scheme that Microsoft has yet launched and opens the door to a wider range of exploits to be discovered.
As much as digging for bugs in Windows Insider builds would be a decent way to earn a living for a number of hackers, regardless of the color hat they wear, Microsoft’s older, more selective bounty systems are still far more lucrative. One key area Microsoft is looking to shore up is its virtual machine Hyper-V system. Find a flaw in that and Microsoft could reward you up to $250,000, whether it is for Windows 10, Server 2012 or a Windows Server Insider preview.
Problems found with the Windows Defender Application Guard come with a $30,000 bounty attached, whereas mitigation bypass bugs could net you as much as $100,000 if discovered. In total there are eight ongoing bug bounty schemes, some of which have been in operation for as long as four years.
The reward figures listed are the maximum, however, so most bugs will unlikely earn that much. The smallest payout for any category is $500, so don’t expect to retire if you find a singular flaw in a piece of Microsoft software. The potential is there, though, if your detection skills are strong enough.
You have time to find them too, as most crucially, the new bounties are not time-limited. While in the past the software giant often pushed for bugs to be found within a select time period to help clear up software before launch, with its new bounties it has them all listed as “ongoing,” with no stated plan for finalizing them.
- Microsoft will pay you up to $250,000 to find Spectre-like flaws
- Intel opens bug hunt to all security researchers, offers possible $250K payout
- Microsoft misses another Edge-related 90-day security disclosure deadline
- Did I do that? Intel is going to make a killing fixing its own Meltdown
- AMD is working on fixes for the reported Ryzenfall, MasterKey vulnerabilities