Xbox Bounty Program | MSRC (original) (raw)

PROGRAM DESCRIPTION

The Xbox Bounty Program invites gamers and security researchers to identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty awards of $1,250 to $20,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Identify a previously unreported vulnerability that reproduces in our latest, fully patched version of Xbox Live network and services at the time of submission.

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following products and services are eligible under this bounty program:

• Xbox Live network and services

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

Sign up for an Xbox network account. We recommend creating one or more test accounts to conduct security vulnerability research.

• Access to a Xbox 360, Xbox One, Xbox One S or Xbox One X is not required for testing but may be useful. Please note, consoles will not be provided for testing purposes.
• Access to a Xbox Gold, Project xCloud, Xbox Game Pass, Xbox Game Pass for PC or Xbox Game Pass Ultimate account is not required for testing but may be useful. Please note, paid accounts will not be provided for testing purposes.

Follow Xbox on X, Xbox community site and forums to learn about the latest features and releases.

BOUNTY AWARDS

Bounty awards range from 1,250upto1,250 up to 1,250upto20,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.