The Microsoft Windows Insider Preview bounty program is part of the Microsoft Windows Bounty Program, launched in 2017, which encompasses flaws in all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.
The Windows Insider Preview program specifically is meant for researchers to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. Windows Insiders is a software testing program for software developers that runs pre-release previews of the Windows operating system, called Windows 10 Insider Preview Builds. While bounty payouts for Windows Insider Preview ranged from $500 to $15,000 when the program first launched, Microsoft announced it would bump up those rewards in a new Friday update.
“Today we’re introducing updates to this program to further incentivize research with the highest impact, including new scenario awards up to $100,000,” said Jarek Stanley, senior program manager with Microsoft on Friday. “We’re also announcing procedural updates for more seamless integration with researchers and faster Windows bounty awards for eligible research.”
The revamped Windows Insider Preview bounty program now includes five new “attack scenario” related rewards for flaws that could put customer privacy and security at risk of exploitation. These include unauthenticated, non-sandboxed remote code execution with no user interaction ($100,000 reward), a demonstrated unauthorized, remote access to private user data with little or no user interaction ($50,000 reward) and persistent, remote denial-of-service flaw with no user interaction ($30,000 reward).
Also included is a local sandbox escape “with little or no user interaction” ($20,000 reward) and demonstrated local, unauthorized access to private user data from a sandboxed process with no user interaction ($20,000 reward).
“While we are refocusing the WIP bounty program to defend and protect customers from these five high risk exploit scenarios, we continue to offer bounties for other valid vulnerability reports that do not qualify for scenario-based awards,” said researchers. These vulnerability reports, which are categorized under “general awards,” are eligible to receive awards ranging from $500 and $5,000 and can include spoofing, information disclosure, security feature bypass and more.
Microsoft has also updated its portal for bounty hunters to report bugs, in order to “streamline communication of the data necessary to triage, assess, and award bounty for qualifying submissions.”
“If you think you’ve found a vulnerability that qualifies for a scenario-based bounty award, there are new fields in the MSRC Researcher Portal to indicate the scenario in your report,” said Microsoft. “To enable faster triage and review of WIP bounty submissions and ultimately get awards to researchers faster, we ask that all Windows vulnerability reports indicate if the issue reproduces on WIP Dev Channel, and include the build and revision string in your report.”
Microsoft has widened its various bug bounty programs since starting its first back in 2013. The company announced the Office Insider Builds on Windows, in March 2017. The company said at the time it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default. More recently, in January 2020 Microsoft said it’s offering rewards of up to $20,000 for finding vulnerabilities in its Xbox gaming platform through its latest bug bounty program, the Xbox Bounty Program.