Microsoft Edge Bounty Program (original) (raw)
PROGRAM DESCRIPTION
The Microsoft Edge Bounty Program welcomes individuals to seek out and submit vulnerabilities unique to Microsoft Edge based on Chromium. Qualified submissions are eligible for bounty awards from 250to250 to 250to30,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSION?
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
We request researchers include the following information to help us quickly assess their submission:
- Submit through the MSRC Researcher Portal.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a previously unreported vulnerability that is unique to Microsoft Edge based on Chromium, in the Dev, Beta, or Stable channels, and which does not reproduce on the equivalent channel of Google Chrome.
- Vulnerabilities must be reproducible on the latest version of Microsoft Edge at the time of submission running on the latest, fully patched version of Windows (including Windows 10), Linux, MacOS, Android, or iOS. Testing in Windows Insider Preview is not required.
- Include the version number of Microsoft Edge used to reproduce the vulnerability (e.g., Version 77.0.188.0 (Official build) dev (64-bit)), and the version number of Chrome used to verify that the vulnerability does not reproduce on Chrome. Eligible version numbers of Microsoft Edge will begin with at least 77 or higher.
- Demonstrable exploits in Microsoft Edge WebView2 are eligible for consideration under this bounty program.
- The eligible Microsoft Edge WebView2 SDKs and runtimes are:
* WebView2 prerelease and release SDK
* Evergreen WebView2 runtime, and the runtimes in Dev and Beta channel of Microsoft Edge - Vulnerabilities must be reproducible on the latest WebView2 SDKs and runtimes at the time of submission, running on the latest, fully patched version of Windows (including Windows 10).
- Include the version number of WebView2 SDK (e.g., 1.0.1905-prerelease or 1.0.2088.41) and the WebView2 runtime (e.g., Version 114.0.1823.79) used to reproduce the vulnerability.
- The eligible Microsoft Edge WebView2 SDKs and runtimes are:
- Demonstrable exploits in third party components that repro in Microsoft Edge but not in Chrome are also eligible for consideration under this bounty program.
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.
- Include concise reproducibility steps that are easily understood, either in writing or in video format.
- This allows submissions to be processed as quickly as possible and supports the highest bounty awards.
- Must provide Proof of Concept (PoC) with submission.
Any vulnerabilities in AI systems found in Copilot Mode in Edge may be eligible for award under the Copilot Bounty Program.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:
- Microsoft Edge based on Chromium, in the Dev, Beta, or Stable channels
- Vulnerability must not reproduce on the equivalent channel of Google Chrome
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.
Download the next version of Microsoft Edge and follow the browser vulnerability research blog, Microsoft Edge team blog, community forums, GitHub, Microsoft Edge Insider page, and Twitter to learn about the latest features and releases.
There are several features in Microsoft Edge on Chromium that are unique to Edge and may be good places to start looking for Microsoft bounty eligible vulnerabilities. Below are a few examples:
- Internet Explorer (IE) Mode: This feature allows enterprise administrators to maintain a trusted list of sites allowed to be open in IE Mode within the Edge browser. This feature requires a supported version of Windows. See the new Microsoft Edge documentation for more details on this feature.
- PlayReady DRM: This feature allows the new Microsoft Edge to show media content protected with PlayReady DRM (in addition to the WideVine DRM, which is also supported by Google Chrome).
- Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD): This feature allows users to sign into the browser with an MSA or AAD, which can enable syncing across devices and other personalization. Vulnerabilities affecting Microsoft Identity services will be reviewed and awarded under the Microsoft Identity bounty program if eligible.
- Edge PDF: Microsoft Edge’s bespoke PDF viewer powered by Adobe Acrobat.
- Microsoft Edge WebView2: Download the Evergreen runtime and set up your development environment for WebView2. Refer to the WebView2 documentation to learn more about WebView2. Follow the WebView2 Release Notes, WebView2Feedback and WebView2Announcements GitHub repositories to learn about current issues, latest feedback, and releases.
AWARDS
Bounty awards range from 500upto500 up to 500upto30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.