Microsoft widens its Bug Bounty program for Edge, get paid to find and report browser bugs

Reading time icon 2 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Microsoft has been busy expanding its Bug Bounty program this year. So far the company has added rewards for finding exploits in .Net Core, ASP .Net Core, and OneDrive. Last month, Microsoft also added Edge to the Bug Bounty program. Specifically, Microsoft started offering rewards to anyone who found Remote Code Execution vulnerabilities in Edge on Windows Insider Preview builds.

According to a report from The Register, Microsoft is now expanding their Bug Bounty program for Edge beyond just Remote Code Execution. The program will now also payout up to $6,000 for proof of a flaw in Edge that violates W3C standards. W3C is the World Wide Web Consortium is an international standards organization for the web which has produced industry-leading standards that define the Open Web Platform. Microsoft is looking for violations of W3C standards that compromise privacy or integrity of user date. This includes violation of SoP and Referrer spoofs.

Recently announced Edge sandboxing might make many bugs a thing of the past.
In the future, Edge sandboxing might make many bugs a thing of the past.

Violations of XSS will only result in up to $1,500 rewards. Finding a Remote Code Execution bug is still the highest payout, of up to $15,000. The Edge bug bounty program only runs until May 15th, 2017. And it has to be found on Windows 10 Insider Preview builds from the slow ring.

There are also a few standards for what makes up an eligible submission. The include:

  • Identify an original and previously unreported vulnerability in the current Microsoft Edge on WIP slow
  • The vulnerability has to reproduce on the recent WIP slow builds in order to qualify for a bounty
    • If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission then the submission is ineligible
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the WIP slow build number on which the vulnerability reproduces

If you think you might have found a bug in Edge related to RCE or W3C violations, head over to Microsoft’s TechNet site to submit to the Microsoft Edge Web Platform on Windows Insider Preview Bug Bounty Program.