The Xbox Bounty Program is open to gamers, security researchers and basically anyone who can help the tech giant identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team, Chloé Brown, a Microsoft Security Response Center program manager, said in a blog post Thursday.
“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service,” she wrote in the post. “The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers.”
The minimum award for identifying an Xbox bug is $500. As is always the case in its bug-bounty programs, Microsoft will award submissions at the company’s discretion and pay “based on the severity and impact of the vulnerability and the quality of the submission,” according to the program’s guidelines.
If early reception to the new program is any indication, researchers welcome the opportunity to be paid for hacking the Xbox platform, as they already have been doing it for free.
“Absolutely get in on this if you want fun research,” Tweeted Kevin Beaumont, a self-appointed “cybersecurity bore.” Beaumont said he already has launched a man-in-the-middle attack on his own Xbox One and found “some really interesting things going on,” adding that “more research would be good as I couldn’t find anything for it on Google.”
DIY Xbox hackers should be warned, however, that Microsoft has rather strict rules and conditions for what type of Xbox bugs the company will pay researchers to identify and what type won’t be included in the reward system. The company also posted a list outlining the impact of a vulnerability versus the award for which it’s eligible.
The type of vulnerabilities that could cause the impact that would warrant an award from the company are: cross site scripting (XSS); cross site request forgery (CSRF); insecure direct object references; insecure deserialization; injection vulnerabilities; server-side code execution; significant security misconfiguration (when not caused by user); and using a component with known vulnerabilities (when demonstrated with a working proof of concept).
Microsoft also prohibits a number of actions under its new Xbox bounty program, including any kind of DoS testing, performing automated testing of services that generates significant amounts of traffic, or gaining access to any data that does not entirely belong to the user.
“For example, you are allowed and encouraged to create a small number of test accounts for the purpose of demonstrating and proving cross-account access,” according to the program rules. “However, it is prohibited to use one of these accounts to access the data of a legitimate customer or account.”
The XBox program is the latest Microsoft is offering to enlist the public to help it identify security holes in its products. The company already has a significant number of bounty programs for its broad range of products, including for its online services; identity solutions such as Azure ActiveDirectory; and Hyper-V hypervisor.
A $20,000 peak bounty is about the average top end of the scale for Microsoft’s various bounty programs. While some of the company’s reward programs offer a maximum of $15,000 for identifying vulnerabilities, several offer rewards in the hundreds of thousands of dollars.
The highest possible reward someone can win from Microsoft for identifying a vulnerability in one of its products is $300,000 for finding a bug in its Microsoft Azure cloud services.