Microsoft Hyper-V Bounty Program | MSRC (original) (raw)

PROGRAM DESCRIPTION

The Microsoft Hyper-V bounty program invites eligible researchers to find and submit vulnerabilities that reproduce in eligible product versions of Microsoft Hyper-V. Qualified submissions are eligible for bounty awards from 5,000to5,000 to 5,000to250,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Such vulnerability must be of Critical or Important severity. For an example of how Microsoft classifies vulnerability severity levels, please see the Microsoft Vulnerability Severity Classification for Windows1.
• Include the impact of the vulnerability
• Include an attack vector if not obvious

1The classification of vulnerability severity levels varies by product. Products under the Hyper-V Bounty Program may be classified differently than those listed on the Microsoft Vulnerability Severity Classification for Windows.

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program

• Hyper-V on the latest build of Windows on the Windows Insider Preview slow ring
• Hyper-V on the latest available version of Windows Server
• Hyper-Visolation containers

The Hyper-V Bounty Program is specifically aimed at finding vulnerabilities in Hyper-V that affect server hosting scenarios (such as Azure). Various Hyper-V client scenarios are covered under different bounties.

The Hyper-V bounty is focused on:

• Components and features of Hyper-V that are used in server hosting scenarios (both traditional virtual machines and Hyper-V Isolation Containers).
• The assumption that the Virtual Machine is on a separate VLAN than the host so there is no possibility to attack network services that are running on the host.
• The assumption that the host will not be interacting with the Virtual Machine in a manner that is atypical when hosting servers. For example, the host will not use enhanced session mode to interact with the virtual machine.

GETTING STARTED

Please create a test account for security testing and probing. Please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

BOUNTY AWARDS

Bounty awards range from 5,000upto5,000 up to 5,000upto250,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write-up containing any required background information, a description of the bug, and a proof of concept that reproduces without relying on a debugger for purposes such as suspending threads or modifying memory/code.

Sample high- and low-quality reports are available here.

Remote Code Execution

L1 Guest Escape

An eligible submission includes a Remote Code Execution (RCE) vulnerability in Microsoft Hyper-V that enables a L1 guest virtual machine to compromise the hypervisor, escape from the guest virtual machine to the host, or escape to another L1 guest virtual machine.