Initially time-bound, the Microsoft Edge Bounty Program has now been turned into one that will run indefinitely, Microsoft has announced.
The past and present of the Microsoft Edge Bounty Program
“Since 2013, we have launched three browser bounties to uncover specific vulnerabilities. As security is a continuous effort and not a destination, we prioritize identifying different types of vulnerabilities in different points of time,” says Akila Srinivasan, a program manager with the Microsoft Security Response Center.
In August 2016, Microsoft launched the Edge Web Platform bounty on Windows Insider Preview (WIP), to incentivize researchers to send them remote code execution bugs, same origin policy bypass vulnerabilities, and referrer spoofing vulnerabilities in their latest browser.
Before that, in April 2015, when Edge was still just codenamed Spartan, Microsoft invited researchers to search for and report RCE vulnerabilities, sandbox escape flaws, and design-level security bugs. That particular bug bounty program was limited to two months.
Now, Microsoft is still looking for information about RCE or important design issues that compromise a customer’s privacy and security, as well as other flaws:
The company has noted that higher payouts for specific bugs are possible, but are at Microsoft’s sole discretion and depend on the entry quality and complexity.
Bug hunters are invited to submit vulnerabilities found in Microsoft Edge shipping on the latest Windows 10 Insider Preview slow ring/build.
“If a submission reproduces in a previous WIP Slow build but not the current WIP Slow at the time of your submission then the submission is ineligible,” they noted.