Windows 10

For years, Microsoft has run a bug bounty program where security researchers could report bugs in Microsoft products and earn money for their findings.

Microsoft was one of the first major tech companies to do so, but the program was always limited in scope, as only a few of the company's products were eligible for rewards.

Products like Office 365, Azure, and Edge have been part of this program. So has Windows, but in a limited capacity, as Microsoft always decided what Windows features researchers could probe, and for what amount of time.

Microsoft opens Windows 10 to bug hunters. No holds barred.

Today, Microsoft announced that Windows has become a permanent part of the company's bug bounty program and that all features are now eligible for monetary rewards.

Furthermore, besides opening all Windows features to hackers, Microsoft also announced it increased monetary rewards, with security researchers having the opportunity to earn from $500 to $250,000 for reported bugs.

"The bounty program is sustained and will continue indefinitely at Microsoft’s discretion," the Microsoft team said today. "Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty."

Bug hunters looking for vulnerabilities can search them in "all features of the Windows Insider Preview, in addition, to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge."

Today's announcement comes a month after Microsoft also made Edge a permanent part of its vulnerability rewards program. Below is a table with vulnerability payouts per each focus area.

Category  Targets  Windows Version  Payout range (USD)
 Focus area  Microsoft Hyper-V

 Windows 10

 Windows Server 2012

 Windows Server 2012 R2

 Windows Server Insider Preview

 $5,000 to $250,000
 Focus area  Mitigation bypass and Bounty for defense  Windows 10  $500 to $200,000
 Focus area  Windows Defender Application Guard  WIP slow  $500 to $30,000
 Focus area  Microsoft Edge  WIP slow  $500 to $15,000
 Base  Windows Insider Preview  WIP slow  $500 to $15,000

***If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)