Microsoft has opened up a novel bounty program for developers who hunt for bugs inside its software, and this one is more serious than others.
The new bounty program aims to detect remote code execution (RCE) risks inside the Microsoft Edge version that comes with the Windows Insider program. To the end consumer, this means very few issues will plague the publicly available browser version.
Jason Shirk of the MSRC Team explains why the new bug hunting program is important.
"This bounty continues our partnership [...] to secure our platforms, in pre-release stages of the development process," Shirk writes.
He goes on to say that the Windows Insider program is crafted in such a way to ensure that the upcoming OS versions go live sporting the best features and top security to boot.
Security experts can get their hands dirty hunting for bugs in Microsoft Edge between Aug. 4, 2016 and May 15, 2017. For each bug detected, developers will get sums ranging from $500 to $15,000. Should any insider find a bug that was detected by Microsoft first, the company has sworn to pay as much as $1,500 to the first "external" whistleblower who reports the issue.
Keep in mind that for a report to qualify, the discovered liability has to be replicable on the most recent version of Windows 10, in the "slow ring" of the Windows Insider program.
Those who are not following up on Windows developments should know that Microsoft split the Windows Insider initiative into three rings: fast, slow and Release Preview.
The first batch receives builds immediately as they are written, the second group gets a rather cleaned up and stable build after some time, while the last group makes use of a thoroughly debugged software.
Microsoft already deploys a wide array of programs where security researchers can test their skills. Some noteworthy examples are the Bounty for Defense program, the Online Services Bug Bounty, the .NET Core Bug Bounty, the ASP.NET Core RC2 Bug Bounty, the Nano Server Technical Preview Bug Bounty and the Mitigation Bypass Bounty.
The previous Edge Technical Preview Bug Bounty took place last year between April 22 and June 22. Reports from the time show that Microsoft shelled out payments from $1,500 to $15,000 to experts who tracked RCE vulnerabilities.
More modest sums ranging from $1,500 to $6,000 were handed to those who identified high severity vulnerabilities in the browser or EdgeHTML, with smaller bounties of only $500 going to those who stumbled upon liabilities in ASLR Info Disclosure in Edge or EdgeHTML.
This April, Microsoft granted a $13,000 bug bounty to security researcher Jack Whitton, in the wake of unearthing a critical authentication flaw with severe consequences on Azure, Office and Outlook accounts. According to Whitton, Microsoft's authentication system was vulnerable to the so-called cross-site request forgery (CSRF) attacks, which let hackers gather login tokens and then pretend to be the actual user, compromising their accounts and data in the process.
Microsoft underlines that its bounty programs allow it to tap into the "collective intelligence and capabilities of security researchers," so that its end customers are kept safe and protected.
At the time of writing, the novel Microsoft Edge bounty is not yet present on the official Microsoft Bounty Programs page.
Should you feel that you belong to the "hacker" or "researcher" category and you feel like earning some extra dough, check out Microsoft's offering. You never know what Edge bug you will encounter that turns out to pay for your next trip to the Bahamas.