For years, Microsoft has run a bug bounty program where security researchers could report bugs in Microsoft products and earn money for their findings.
Microsoft was one of the first major tech companies to do so, but the program was always limited in scope, as only a few of the company's products were eligible for rewards.
Products like Office 365, Azure, and Edge have been part of this program. So has Windows, but in a limited capacity, as Microsoft always decided what Windows features researchers could probe, and for what amount of time.
Today, Microsoft announced that Windows has become a permanent part of the company's bug bounty program and that all features are now eligible for monetary rewards.
Furthermore, besides opening all Windows features to hackers, Microsoft also announced it increased monetary rewards, with security researchers having the opportunity to earn from $500 to $250,000 for reported bugs.
"The bounty program is sustained and will continue indefinitely at Microsoft’s discretion," the Microsoft team said today. "Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty."
Bug hunters looking for vulnerabilities can search them in "all features of the Windows Insider Preview, in addition, to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge."
|Category||Targets||Windows Version||Payout range (USD)|
|Focus area||Microsoft Hyper-V||
Windows Server 2012
Windows Server 2012 R2
Windows Server Insider Preview
|$5,000 to $250,000|
|Focus area||Mitigation bypass and Bounty for defense||Windows 10||$500 to $200,000|
|Focus area||Windows Defender Application Guard||WIP slow||$500 to $30,000|
|Focus area||Microsoft Edge||WIP slow||$500 to $15,000|
|Base||Windows Insider Preview||WIP slow||$500 to $15,000|
***If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)