Windows Bounty | MSRC (original) (raw)
PROGRAM DESCRIPTION
The Microsoft Windows Insider Preview bounty program invites eligible researchers to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Canary Channel.
Qualified submissions are eligible for bounty awards from 500to500 to 500to100,000 USD. This includes third-party and open-source components shipped by default in the product or service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Such vulnerability must be Critical or Important severity as defined in the Microsoft Vulnerability Severity Classification for Windows.
- To be eligible for General Awards, your submission must be reproducible against the latest Canary Channel build of Windows Insider Preview.
- To be eligible for Attack Scenario Awards, your submission must include a proof of concept demonstrating the vulnerability against the latest Canary Channel build of Windows Insider Preview.
- Include in the submission the latest Canary Channel buildthat was tested and revision string in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx registry key.
* For example, 99999.1.amd64fre.fs5_release.180914-1434.en-us - To be eligible for all Attack Scenario Awards, any additional information for your report must be shared with your case manager or submitted through new files on your case within 30 days of the submission in order to help the engineering team reproduce your report as quickly as possible.
- To be eligible for local Attack Scenario Awards, your proof of concept must demonstrate an ability to elevate privileges under the restricted context of an eligible sandbox. During testing, this restricted context will be achieved using the Launch App Container tool. The submission must trigger the vulnerability when it is launched from this tool when using the LPAC flag. Additional capabilities may be included only if they are used by eligible sandboxes.
- Submissions that rely exclusively on a debugger for purposes such as suspending threads or modifying memory/code are not eligible for Attack Scenario Awards.
- Submissions that can demonstrate a vulnerability without the use of a debugger but provide expedited reproduction steps with the use of a debugger are still eligible for Attack Scenario Awards.
- Include in the submission the latest Canary Channel buildthat was tested and revision string in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx registry key.
- Bounty awards will be based on the version of Windows Insider Preview used in the original proof of concept at the time of submission.
- Affect a feature that is both serviced and eligible for bounty according to the Microsoft Security Servicing Criteria for Windows.
- Use a component with known vulnerabilities.
- Requires proof of reachability. For example, a small program that causes the identified vulnerable code to be run.
We request researchers include the following information to help us quickly assess their submission
- Submit through the MSRC Researcher Portal
- Indicate in the vulnerability submission which attack scenario (if any) your report qualifies for.
- Describe the attack vector for the vulnerability.
SCOPE
Vulnerabilities submitted in the following products and services are eligible under this bounty program:
- Latest Canary Channel build of Windows Insider Preview.
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.
To get started, join the Windows Insider Preview program anddownload the latest Canary Channel version.
For more information, see:
- https://insider.windows.com/
- https://insider.windows.com/en-us/getting-started
- https://aka.ms/flighthub
- https://blogs.windows.com/windowsexperience/tag/windows-insider-program/
BOUNTY AWARDS
Bounty awards range from 500USDupto500 USD up to 500USDupto100,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.
If a reported vulnerability does not qualify for a bounty award under the Attack Scenarios, it may be eligible for a bounty award under General Awards (see applicable chart below).
Attack Scenario Awards1
| Attack Vector | Scenario | Maximum Award (USD) |
|---|---|---|
| Remote2 (assumes no prior execution) | Unauthenticated3 non-sandboxed code execution with no user interaction | $100,000 |
| Demonstrated4 unauthenticated and unauthorized access to private5 user data or data that can be used to weaken existing user protections with little6 or no user interaction | $50,000 | |
| Unauthenticated data destruction or persistent denial of service with no user interaction that is triggered by using a small number of packets and results in a remote BSOD or crash in a high value asset7 | $30,000 | |
| Unauthenticated data destruction or persistent denial of service with no user interaction that results in a crash in any service except a high value asset7 | $5,000 | |
| Local (assumes prior execution) | Sandbox8 escape with little or no user interaction | $30,000 |
| Demonstrated unauthorized access to private user data or data that can be used to weaken existing user protections from a sandboxed8 process with no user interaction | $30,000 |
1Proof-of-concepts for an Attack Scenario Award must exercise a vulnerability within a shipped Windows application. This includes, without limitation, shipped clients, servers, and services.
2_Remote_ attacks are only those attacks that do not require physical proximity. Physical proximity attacks include but are not limited to attacks requiring Wi-Fi, Bluetooth, or other short range radio protocols. Resource exhaustion issues and issues which require resources to be strained in order to trigger are not eligible for a Remote Attack Scenario Award.
3_Unauthenticated_ attacks are only those attacks that require no credentials or being part of a domain, and lateral movement attacks are strictly out-of-scope as these would be considered post-auth. Additionally, attacks that require the victim to already have the application open, download an attachment, or interact with the application in any way are out-of-scope.
4_Demonstrated_ means submission must include a proof of concept that shows how the reported vulnerability can be used by the attacker to retrieve data.
5_Private data_ means user files, emails, photos or similar data protected behind a Windows security boundary.
6_Little user interaction_ includes, without limitation, clicking a file or browsing to a website.
7_High value assets_ include, without limitation, DHCP Server, DNS Server, epmapper (MS-RPC), Hyper-V Remote Access, IIS Web Server HTTP/HTTPs.
8_Eligible sandboxes_ are New Microsoft Edge based on Chromium renderer process, Windows Defender Sandbox (MsMpEngCP), WinHTTP Web Proxy Auto-Discovery Service (WPAD) sandboxed process, UtcDecoderHost.exe sandboxed process. Ineligible sandboxes are AppContainer (AC) and Internet Explorer sandbox, these are eligible for general bounty awards (see below).
General Awards
| Security Impact | Maximum Award (USD) |
|---|---|
| Remote Code Execution | $5,000 |
| Security Feature Bypass | $1,000 |
| Spoofing | $1,000 |
| Tampering | $1,000 |
| Denial of Service | $500 |
Elevation of Privilege
Bounty awards are based on the finishing privilege.
| Finishing Privilege | Maximum Award (USD) |
|---|---|
| Low IL | $2,000 |
| Medium IL | $2,000 |
| High IL | $8,000 |
| System IL | $8,000 |
Information Disclosure
Bounty awards are based on the finishing privilege.
| Finishing Privilege | Maximum Award (USD) |
|---|---|
| Low IL | $1,000 |
| Medium IL | $1,000 |
| High IL | $2,000 |
| System IL | $2,000 |
OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under theStandard Award Policy.
Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community.
- Any submission that does not demonstrate testing and reproduction in Windows Insider Preview Canary Channel at time of submission.
- Crash dumps that do not demonstrate the reported behavior on the latest Canary Channel build.
- Versions of Windows 10.
- Any version of Windows Server other than latest, fully patched version at time of submission.
- Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community.
- Low or Moderate severity vulnerabilities.
- Submissions impacting features not serviced and eligible for bounty according to the Microsoft Security Servicing Criteria for Windows.
- Vulnerabilities in Windows Store, Windows Apps, and firmware.
- Vulnerabilities requiring extensive or unlikely user actions.
- Vulnerabilities that are only reachable via Microsoft Internet Explorer or Microsoft Edge Legacy. Please use the new Microsoft Edge.
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations.
- Vulnerabilities in Windows components for which Microsoft is actively working on large scale fixes.
- Vulnerabilities in Remote Access Service (RAS) server components are not eligible for an Attack Scenario Award.
- Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configurations. Common configurations that are either default configurations or configurations that are specifically recommended on MSDN or official Microsoft documentation. Examples of uncommon configurations include, without limitation:
- Vulnerabilities that require enabling Server Message Block protocol (SMBv1).
- Vulnerabilities in features Microsoft recommends against using, such as XPS Filters.
- Sandbox escapes with User Account Control (UAC) disabled.
- Enabling WINS or other legacy, insecure protocols.
- Proof-of-concepts that exercise a vulnerability within a custom application are not eligible for an Attack Scenario Award. This includes, without limitation, fuzzing harness, custom clients, and custom servers.
- Vulnerabilities in line printer daemon (LPD) protocol.
- Vulnerabilities in Windows Admin Center and the installers for Windows Admin Center.
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service.
- Training, documentation, samples, and community forum sites related to Microsoft Windows Insider Preview Bounty Program products and services are out-of-scope for bounty awards.
ADDITIONAL INFORMATION
For additional information please see ourFAQ.
REVISION HISTORY
- July 26, 2017: Program launched.
- January 17, 2019: Added Security Servicing Criteria and updated duplicate report guidelines. Added temporary Windows sandbox escape scope and increased award levels.
- October 3, 2019: Removed Defender AV sandbox escape bounty bonus. Added How Do I Provide My Report section.
- February 10, 2020: Renamed "Bounty Scope" section to "Out-of-Scope Submissions and Vulnerabilities."
- April 22, 2020: Added out-of-scope - vulnerabilities that rely on Microsoft Internet Explorer or Microsoft Edge Legacy and vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations, including examples.
- July 24, 2020: Added attack scenario awards and general award table, increasing top award to $100,000. Added requirement that eligible submissions must show testing and repro on Dev Channel. Separated submission eligibility into required criteria and recommended criteria.
- August 27, 2020: Moved “clear, concise, reproducible steps” from recommended to required. Added clarification that “unauthenticated” is required for Remote attack scenarios. Added definition for “demonstrated” in attack scenarios.
- September 1, 2021: Added definition for “unauthenticated” in attack scenarios. Updated “Eligible Submissions” section to provide clarity for what to include in a submission. Updated list of eligible sandboxes.
- December 8, 2021: Added enabling WINS and other legacy products to Out-of-Scope under the Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration bullet.
- December 20, 2021: Added additional detail to the Unauthenticated RCE Scenario exclusion in footnote 1.
- January 18, 2022: Removed local vulnerabilities involving race conditions in user-mode components from Out-of-Scope.
- January 20, 2022: Removed local vulnerabilities involving file path redirection through junctions or mountpoints from Out-of-Scope.
- February 25, 2022: Added additional detail on what is required in a proof-of-concept.
- March 4, 2022: Clarified common configuration definition in the Out-of-Scope section.
- May 4, 2022: Added additional detail for what is required in a proof-of-concept.
- October 31, 2022: Updated general and scenario award requirements in the Eligible Submissions section.
- February 6, 2023: Added out-of-scope – vulnerabilities in Windows components for which Microsoft is actively working on large scale fixes. Remote Access Service (RAS) server components not eligible for Attack Scenario awards.
- February 27, 2023: Added to out-of-scope – vulnerabilities in features Microsoft recommends against using, such as XPS Filters.
- March 8, 2023: Updated from “latest Dev Channel build” to “latest Canary Channel build”.
- April 5, 2023: Added clarification for debugger use for Attack Scenario Awards.
- April 19, 2023: Added additional detail for what is required for local Attack Scenario Awards.
- June 23, 2023: Updated remote Attack Scenario award and updated footnote 2.
- July 5, 2023: Added limited-time bounty award category.
- June 5, 2024: Removed limited-time bounty award category that has ended. Added clarification for issues that require physical proximity.
- February 26, 2025: Added out-of-scope – vulnerabilities in line printer daemon (LPD) protocol.
- March 3, 2025: Updated bounty awards for Attack Scenario awards and added an additional footnote. Updated bounty award amount for General Awards.
- December 11, 2025: Updated hyperlinks and standardized language.
- March 20, 2026: Updated information disclosure scenario award.
- April 7, 2026: Updated Getting Started section.
- April 14, 2026: Added out-of-scope – vulnerabilities in Windows Admin Center and the installers for Windows Admin Center.
- May 8, 2026: Updated bounty awards for General Awards for elevation of privilege and information disclosure vulnerabilities.
- June 3, 2026: Updated requirements for Eligible Submissions.