Microsoft said Wednesday it would no longer impose a time limit for its Edge bug bounty program.
The Redmond, Wash. based company announced the Edge on Windows Insider Preview (WIP) program in August 2016 as a means to incentivize researchers to find and report vulnerabilities in the browser.
Initially the program paid bounties to researchers who discovered remote code execution vulnerabilities, same-origin bypass vulnerabilities, and referrer spoofing vulnerabilities. The program has since expanded and while it still awards bounties for critical remote code execution it also awards bounties for any design issue in the browser that could compromise a user’s privacy and security.
The program was slated to run until this May but, according to Microsoft, will now extend indefinitely.
“Keeping in line with our philosophy of protecting customers and proactively partnering with researchers, today we are changing the Edge on Windows Insider Preview (WIP) bounty program from a time bound to a sustained bounty program,” Akila Srinivasan, a member of Microsoft’s Security Response Center, wrote Wednesday in a Technet post.
The details of the program, below, more or less mirror the details of the limited program Microsoft announced last August.
- Any critical remote code execution or important design issue that compromises a customer’s privacy and security will receive a bounty
- The bounty program is sustained and will continue indefinitely at Microsoft’s discretion
- Bounty payouts will range from $500 USD to $15,000 USD
- If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD
- Vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track)
The program has been a success; Srinivasan says Microsoft has handed out $200,000 in bounties since the program’s inception last August.
Microsoft has been fairly fluid with its bug bounty programs since starting its first back in 2013. The company announced one of its latest, for Office Insider Builds on Windows, back in March. The company said at the time it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default.
That program, like last August’s Edge program, was temporary and expired last Thursday.