Microsoft just announced the launch of an Xbox bug bounty program to allow gamers and security researchers to report security vulnerabilities found in the Xbox Live network and services.
Qualified Xbox Bounty Program submissions are eligible for bounty payouts ranging from $500 to $20,000 for a remote code execution submitted via a high-quality report with clear and concise proof of concepts (POCs).
The bounties will be awarded "at Microsoft’s discretion" based on the severity and impact of the security issue disclosed, as well as the quality of the submission.
"Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact," Redmond says.
"Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix."
We’re excited to announce the Xbox Bounty Program, which awards up to $20,000 for vulnerabilities in the Xbox network space. Find out more information: https://t.co/4Tsq17ocaH
— Security Response (@msftsecresponse) January 30, 2020
Vulnerabilities submitted through the Xbox Bounty Program are required to meet the following criteria to be eligible for a bounty award:
• Include clear, concise, and reproducible steps, either in writing or in video format (This allows submissions to be reviewed as quickly as possible and supports the highest bounty awards.)
These are some examples of Xbox Bounty Program in-scope vulnerabilities:
• Cross-site request forgery (CSRF)
• Insecure direct object references
• Insecure deserialization
• Injection vulnerabilities
• Server-side code execution
• Significant security misconfiguration (when not caused by user)
• Using a component with known vulnerabilities (when demonstrated with a working proof of concept)
To send a submission to the Xbox team you have to use the MSRC Submission portal, with the mention that you'll have to abide by the recommended format in Microsoft's bounty submission guidelines.
Additional details on what activities are prohibited under the Xbox Bounty Program and the out of scope vulnerabilities are available on the Xbox bounty page and to follow Coordinated Vulnerability Disclosure throughout the vulnerability reporting process.
For vulnerability submissions that are out of the scope of the Xbox Bounty Program, Microsoft may still offer the security researchers public recognition by adding them to the Online Service Acknowledgements page.
The bounty amounts for in-scope vulnerabilities based on their severity levels are available in the table below.
| Security Impact | Report Quality | Severity | |||
| Critical | Important | Moderate | Low | ||
| Remote Code Execution | High Medium Low |
$20,000 $15,000 $10,000 |
$15,000 $10,000 $5,000 |
N/A | N/A |
| Elevation of Privilege | High Medium Low |
$ 8,000 $ 4,000 $ 3,000 |
$5,000 $2,000 $1,000 |
$0.00 | N/A |
| Security Feature Bypass | High Medium Low |
N/A | $5,000 $2,000 $1,000 |
$0.00 | N/A |
| Information Disclosure | High Medium Low |
N/A | $5,000 $2,000 $1,000 |
$0.00 | $0.00 |
| Spoofing | High Medium Low |
N/A | $5,000 $2,000 $1,000 |
$0.00 | $0.00 |
| Tampering | High Medium Low |
N/A | $5,000 $2,000 $1,000 |
$0.00 | $0.00 |
| Denial of Service | High/Low | Out of Scope |
You can find additional information on Microsoft bounty program requirements as well as legal guidelines in the Bounty Terms, the Safe Harbor policy, and the Bounty FAQ.
"Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service," MSRC Program Manager Chloé Brown said.
"The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities that have a direct and demonstrable impact on the security of Xbox customers.
Public bounty programs are a valuable approach which combine with ongoing internal testing, private programs and knowledge shared by partners to produce a secure ecosystem to play in."
Comments
SuperSapien64 - 4 years ago
Good now only if Sony would do the same for the PSN.
chilinux - 4 years ago
If only the enterprise security companies would do the same.
Company: Microsoft
Product: Xbox One S
Product Cost: $250 MSRP
Product Purpose: "Experience the new generation of games and entertainment"
Maximum Bug Bounty Payout: $20,000
Company: Crowdstrike
Product: Falcon
Product Cost: Contact company to get a quote
Product Purpose: "Breaches Stop Here"
Maximum Bug Bounty Payout: $3,000 (15% of Xbox) as stated on HackerOne
Company: Citrix
Product: Citrix ADC
Product Cost: Contact company to get a quote
Product Purpose: "Comprehensive L3 – L7 security for your applications & APIs"
Maximum Bug Bounty Payout: None stated as being provided (0% of Xbox)
Company: Palo Alto Networks
Product: Next Generation Firewall
Product Cost: Contact company to get a quote
Product Purpose: "Simplify enterprise security"
Maximum Bug Bounty Payout: "Please do not request compensation" (0% of Xbox)
This list could go on and on. But is 2020 really the year in which a *game console* has better incentives for third-party security researchers to review than enterprise grade security products protecting critical information such as health care records? Does anyone else find that odd?
NoneRain - 4 years ago
That's great. Bug bounty programs not only help the enterprise, but the community as well.