Microsoft has been running a bounty program for a few years now, launching it just ahead of the release of Windows 8.1 back in mid-2013. At the time, the company was awarding up to $50,000 for exploits, in an attempt to help address any potential security issues before they could become a larger public concern. It’s a tact taken by a number of tech’s biggest names, like Google, Facebook and, more recently, Apple.
The software giant’s expanding things a bit today, with the simply named “Windows Bounty Program”. It’ll cover a bit more ground in Windows 10, and features much loftier rewards for bug finders (thus perhaps making it a bit more compelling over selling the exploits to the highest bidding third party.) This time out, awards go all the way up to $250,000 for anyone who’s able to discover exploits in Microsoft Hyper-V, the company’s virtualization software.
Of course, that’s on the high-end. The awards start at $500 and will be handed out to, “any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security.” Other points of focus include Mitigation Bypass (things that break Microsoft’s security sandboxing) and Bounty for Defense, Windows Defender Application Guard, Microsoft Edge and, most notably, Windows Insider Preview, the company’s early access program for Windows 10 builds.
There is, naturally, some fine print here. For starters, if a Microsoft employee spots an issue first, the company will still offer an award to the first person outside the company who details it — but it will only be 10-percent of the maximum amount offered, meaning it only goes up to $25,000. Even so, that marks a change from the way many other companies approach to their respective programs, declining bounties for exploits that had already been discovered internally but not yet disclosed.
Ready to start poking around? Here’s the full list of categories Microsoft is interested in and their respective bounties. Microsoft says it will keep the program running indefinitely in its current form.