Microsoft Launches Xbox Bounty Program With $20K Maximum Payout

Microsoft just announced the launch of an Xbox bug bounty program to allow gamers and security researchers to report security vulnerabilities found in the Xbox Live network and services.

Qualified Xbox Bounty Program submissions are eligible for bounty payouts ranging from $500 to $20,000 for a remote code execution submitted via a high-quality report with clear and concise proof of concepts (POCs).

The bounties will be awarded "at Microsoft’s discretion" based on the severity and impact of the security issue disclosed, as well as the quality of the submission.

"Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact," Redmond says.

"Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix."

Vulnerabilities submitted through the Xbox Bounty Program are required to meet the following criteria to be eligible for a bounty award:

• Identify a previously unreported vulnerability that reproduces in our latest, fully patched version of Xbox Live network and services at the time of submission.
• Include clear, concise, and reproducible steps, either in writing or in video format (This allows submissions to be reviewed as quickly as possible and supports the highest bounty awards.)

These are some examples of Xbox Bounty Program in-scope vulnerabilities:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Insecure direct object references
• Insecure deserialization
• Injection vulnerabilities
• Server-side code execution
• Significant security misconfiguration (when not caused by user)
• Using a component with known vulnerabilities (when demonstrated with a working proof of concept)

To send a submission to the Xbox team you have to use the MSRC Submission portal, with the mention that you'll have to abide by the recommended format in Microsoft's bounty submission guidelines.

Additional details on what activities are prohibited under the Xbox Bounty Program and the out of scope vulnerabilities are available on the Xbox bounty page and to follow Coordinated Vulnerability Disclosure throughout the vulnerability reporting process.

For vulnerability submissions that are out of the scope of the Xbox Bounty Program, Microsoft may still offer the security researchers public recognition by adding them to the Online Service Acknowledgements page.

The bounty amounts for in-scope vulnerabilities based on their severity levels are available in the table below.

Security Impact Report Quality Severity      
    Critical Important Moderate Low
Remote Code Execution High
Medium
Low
$20,000
$15,000
$10,000
$15,000
$10,000
$5,000
N/A N/A
Elevation of Privilege High
Medium
Low
$ 8,000
$ 4,000
$ 3,000
$5,000
$2,000
$1,000
$0.00 N/A
Security Feature Bypass High
Medium
Low
N/A $5,000
$2,000
$1,000
$0.00 N/A
Information Disclosure High
Medium
Low
N/A $5,000
$2,000
$1,000
$0.00 $0.00
Spoofing High
Medium
Low
N/A $5,000
$2,000
$1,000
$0.00 $0.00
Tampering High
Medium
Low
N/A $5,000
$2,000
$1,000
$0.00 $0.00
Denial of Service High/Low   Out of Scope    

You can find additional information on Microsoft bounty program requirements as well as legal guidelines in the Bounty Terms, the Safe Harbor policy, and the Bounty FAQ

"Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service," MSRC Program Manager Chloé Brown said.

"The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities that have a direct and demonstrable impact on the security of Xbox customers.

Public bounty programs are a valuable approach which combine with ongoing internal testing, private programs and knowledge shared by partners to produce a secure ecosystem to play in."

Related Articles:

Xbox is down worldwide with users unable to login, play games

Learn ethical hacking this summer with hundreds off this super bundle

Google now pays $250,000 for KVM zero-day vulnerabilities

Microsoft pulls Windows 11 KB5039302 update causing reboot loops

Microsoft resumes rollout of Windows 11 KB5039302 update for most users