Microsoft will pay researchers up to $15k for Edge bugs forever

Microsoft has upgraded its temporary bug bounty for Windows 10 Edge to a permanent program. 

The new permanent status follows a 10 month time-limited bounty for Edge that has seen Microsoft pay $200,000 to researchers for reports of bugs worth between $500 and $15,000 each. Microsoft hasn’t revealed how many valid reports it received other than to say it there were “many high quality reports”.

Bugs in Edge netted researchers the highest payouts in this year's Pwn2Own contest by Trend Micro, while attempts to hack Chrome failed.     

Microsoft launched the Edge Web Platform bug bounty in August last year, allowing researchers to report bugs in the browser on the latest version of the Windows Insider Preview. 

It encouraged researchers to find remote code execution (RCE), same origin policy bypass vulnerabilities (example: UXSS), and referrer spoofing vulnerabilities. 

The same basic rules still apply today; to be eligible for payment researchers must find bugs that are reproducible on the slow track of the Windows Insider Preview. 

The Edge bounty is one of seven programs Microsoft is currently running. It was was the third focussed on its browsers. The company has paid researchers a total of $1.5 million since its first bounty in 2013. 

Several major platforms have launched, relaunched or significantly raised bug bounty payments over the past year. 

Firefox maker Mozilla was one of the first internet firms to pay researchers to report bugs, launching a program in 2004 that paid researchers $500 for bugs in Firefox. In May it relaunched a bounty, offering up to $5,000 for critical remote code execution bugs in its key websites. 

Google has paid $3 million to researchers since its first bounty program in 2010 for bugs in Chrome, its websites, and Android. Earlier this month it jacked up payments for the most severe bugs in Android. Bugs that lead to a Verified Boot hack were increased from $50,000 to $200,000, remote kernel exploits moved from $30,000 to $150,000. 

Google’s top pay level for dangerous Android exploits matched Apple’s offer of up to $200,000 for critical bugs in iOS secure boot firmware components. Apple kicked off its private bug bounty program late last year.     

Tags MicrosoftGoogleAppleFirefoxmozillachromebugs and security failures

Show Comments