Microsoft has this week announced a bounty program with rewards up to $20,000 for high-quality reports that demonstrate security weaknesses in its Xbox Live Network.
The program is open to anybody who has the skills and ability to demonstrate bugs; rewards scale depending on the quality of the report and the type of security weakness identified. The figures range from $500 to $20,000 depending on the “vulnerability impact,” with Remote Execution listed as the most threatening and, therefore, the highest returning type of threat detection.
Microsoft outlines the purpose of the initiative over on its website:
“The goal of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Microsoft’s customers.”
Full details of how to get started and a table highlighting the different reward tiers can be viewed over on the website.
Notably, there are several types of security threats that Microsoft is not interested in hearing about and will do not consider eligible for rewards. This includes:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
As noted by theverge, Microsoft has run bug bounty style programs in the past for its Windows 10 software, in that case offering a whopping $250,000 at its highest report tier.