Microsoft is asking researchers to look for bugs inside the latest Windows 10 version (Insider Preview slow ring).
Remote code execution bugs can net finders up to $15,000, elevation of privilege flaws up to $10,000, and information disclosure, remote DoS, and spoofing bugs up to $5,000.
As always, high-quality reports with Proof of Concepts will result in bigger payouts.
Vulnerabilities in Windows Journal, Windows Store, Windows Apps, Flash, firmware, third party drivers, or third party software in Windows are not in scope, as are not vulnerabilities requiring extensive or unlikely user actions.
Other bounty programs still going strong
“[The Windows Bounty Program] will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge,” the MSRC Team noted in the announcement.
That is not to say that the bug bounty programs specifically focused on any of these areas will be terminated – they will not.
The company reiterated the main details of these programs through a simple table:
A high-quality report, PoC and exploit code for remote code execution vulnerability in Microsoft Hyper-V that enables a guest virtual machine to compromise the hypervisor can, for example, get the discoverer up to half a million dollars.
A total bypass of all mitigation technologies incorporated in Windows 10 can result in a paid bounty that can reach as high as $100,000.