Skip to main content

Microsoft will pay you cash for hunting down specific vulnerabilities for Microsoft Edge in the Windows Insider program

Man holding money
Image used with permission by copyright holder
Microsoft’s Jason Shirk from the MSRC Team reports that the company has added another bounty program to its roster for bug hunters. This one targets possible remote code execution vulnerabilities within the version of Microsoft Edge that’s served up to participants in the Windows Insider program. For consumers, that means a good chunk of vulnerabilities will have already been tracked down and patched before a new version of the browser is released to the masses.

“This bounty continues our partnership with the security research community in working to secure our platforms, in pre-release stages of the development process,” Shirk writes. “The Windows Insider program is built to help shape the future of Windows, and represents the latest in features, including new security features and mitigations.”

The new Microsoft Edge bounty began on August 4, 2016, and will conclude on May 15, 2017. Bug hunters will be paid handsomely for their research, earning between $500 and $15,000. However, if they come across a qualifying vulnerability that was found internally by Microsoft, then the company will offer up to $1,500 for the first “external” individual who submits a report.

Additionally, all vulnerabilities uncovered by researchers must be reproducible on the latest version of Windows 10 in the Windows Insider program “slow ring.” For the uninitiated, the Windows Insider program is broken down into “fast,” “slow,” and “Release Preview” rings, with the first group getting builds as they’re completed, the second group receiving slightly more polished and stable builds at a slower rate, and the third group enjoying new features with little or no risk to their devices.

The new Microsoft Edge bounty joins a number of other programs Microsoft currently offers to researchers, including the Online Services Bug Bounty, the Nano Server Technical Preview Bug Bounty, the .NET Core and ASP.NET Core RC2 Bug Bounty, the Mitigation Bypass Bounty, and the Bounty for Defense program.

Previously, there was a Microsoft Edge Technical Preview Bug Bounty that began April 22, 2015, and ended on June 22, 2015. According to the listing, Microsoft paid between $1,500 and $15,000 for Remote Code Execution vulnerability discoveries, and for finding a Sandbox Escape vulnerability with Enhanced Protected Mode. Between $1,500 and $6,000 was paid for higher severity vulnerabilities in the browser or EdgeHTML, and a mere $500 was paid for ASLR Info Disclosure vulnerabilities in Edge or EdgeHTML.

“Our new bounty programs add expanded depth and flexibility to our existing community outreach programs,” states Microsoft. “Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers.”

Right now, the new Microsoft Edge bounty doesn’t appear on the Microsoft Bounty Programs website. Four of the bounties listed above are ongoing whereas the .NET Core and ASP.NET Core RC2 bug bounty ends on September 7, 2016. If you fall under the “hacker” and “researcher” umbrella and want to earn some cash, take a look at what Microsoft is offering. You’ll be helping us all out and banking some nice green bills in the process.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
A Windows 10 update brings Microsoft’s excellent new Edge browser to the masses
microsoft new edge now rolling out automatically image 1

The new Microsoft Edge browser, which is based on Google's open-source Chromium engine, is making its way to more Windows 10 PCs. Now being delivered via Windows Update, the browser is coming as an automatic install, replacing the older and little-used legacy version of Edge.

With the new browser previously only available as a manual download, there are three specific updates that will bring the browser automatically to Windows 10 PCs. These include KB4541301, KB4541302, and KB4559309. Depending on which version of Windows you're running, you'll see a different KB in Windows Update when you visit Update and Security and click Check for Updates if you're hoping to get the browser automatically.

Read more
Microsoft offers up to $20,000 to identify security vulnerabilities in Xbox Live
Xbox One S All-Digital Edition review

When it comes to securing complex products, companies are increasingly turning to bug bounty programs to invite members of the public to find security vulnerabilities. Google's bug bounty program handed out $6.5 million last year, and Apple recently expanded its program to cover macOS bugs as well as iOS bugs.

Now Microsoft is expanding its own bug bounty program from covering software like its Office suite and its Edge browser to also covering the Xbox Live network and services. The company will pay out rewards to anyone who can find and reproduce a security vulnerability in the Xbox Live system.

Read more
Microsoft’s new Edge browser to launch January 15. Here’s what you need to know
microsoft edge to launch january 15 windows 2019 aug 20

After a nearly six-month-long journey through beta testing, Microsoft is finally getting ready to launch its new Chromium-based Edge browser. Announced today, November 4, during the first day of the Microsoft Ignite conference, the browser will be set to launch on January 15 on Windows 7, 8, and 10, and MacOS.

Although this launch is still quite a while away, Microsoft is making a release candidate of the new browser (which is based on Google's open-source Chromium-engine) available for download. Unlike the current beta builds and insider channels, this release candidate version of the browser is close to what can be expected come January 15. It is also much more stable and bug-free but with the same new abilities that have been tested over the past few months.

Read more