Microsoft adds Windows bounty program that tops out at $250000

Posted July 28, 2017

They "will continue indefinitely at Microsoft's discretion", the security response team said.

Microsoft has now expanded its bug bounty program to Windows 10, with the company stating that they are willing to pay up to $250,000 to security researchers who discover vulnerabilities in its operating system. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company's program for testing Windows 10 preview builds.

- Any critical or important class remote code execution, elevation of privilege, or design flaws that compromise a customer's privacy and security will receive a bounty. The Program consists of four categories which gives good hackers monetary payouts ranging between $500 to $250,000.

Further, the company stated that if it is already aware of the reported issue and found the problem before any participant found it, then 10% of the highest amount will be paid to the person. The main focus of the Program is to cover all the features of the Windows Insider Preview by focusing on areas such as Hyper V, Windows Defender and more. Hyper-V is now top priority, as a bad bug in that code can earn you up to US$250k, $50k more than is on offer for any other bug and an increase on previous payments for those who find critical remote code execution, information disclosure and denial of services vulnerabilities in the virtualization code.

If you're interested in the maximum quarter-million bounty, your only option is Hyper-V program, although you have multiple operating systems to choose from: Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server Insider Preview. A researcher finding and reporting a remote code execution flaw in Windows with a high quality proof of concept can find themselves eligible for a $15,000 payout. These three require using the Windows Insider slow ring. Paying a bounty costs the company only a little compared to fixing loopholes after it's too late.