Microsoft has started a bug bounty programme for its next-generation Project Spartan browser and the next version of Internet Explorer (IE) for Windows 10 and is offering between $500 and $15,000 in rewards.
Microsoft hinted that there will be a higher amount available, but did not elaborate on a figure or what sort of discovery would cause it to be paid.
The Project Spartan bug programme runs until 22 June, and is open internationally to anyone over 14 years of age.
“For the duration of the programme, individuals across the globe have the opportunity to submit vulnerabilities found in Microsoft-branded internet browsers shipping on our latest pre-release Windows platform,” explained the firm.
“Qualified submissions are eligible for payment and bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft may pay more than $15,000 depending on the entry quality and complexity.”
Submissions will be rejected from anyone who works at Microsoft or who represents a company or country that is under sanction by the US, such as North Korea.
Microsoft explained that bug report submissions with the most information will earn the most money, and that vulnerabilities should be relatively easy to exploit and must not involve anything that involves a user having to make any “extensive or unlikely” actions.
Successful remote code execution attacks and vulnerabilities that can escape application sandboxes will earn the highest rewards, and submissions should include proof-of-concept evidence and a functioning exploit.
Payments will also be made for vulnerabilities in EdgeHTML.dll and Address Space Layout Randomisation.
“The aim of the bug bounty programme is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data,” added Microsoft.
Submissions will be accepted only if they affect the most recent build of Windows 10, called the ‘Threshold’ by Microsoft.
Security researcher BruteLogic, who recently uncovered an XSS flaw on the Amazon website and more controversially on more than 30 Groupon websites, said that bug bounty programmes work well, in theory.
“These programmes are great for some. But there are some controversies about them. For example, things are done only on a company’s terms. If they do not want to pay, for a valid reason or not, there will be nothing legal or ethical that you could do,” he said.
“There also some sites and companies that simply will not pay anything, and instead wait for people to work for them for free. If you disclose vulnerabilities from those who are not willing to pay, you are told that you’re doing it wrong, you don’t care about people, and you are unethical.”