Microsoft today kicked off a two-month bug hunt for vulnerabilities in Project Spartan, the company’s new browser set to launch alongside Windows 10 later this year, one of several announced additions to its various bounty programs.
“Microsoft’s new browser will be the onramp to the Internet for millions of users when Windows 10 launches later this year,” wrote Jason Shirk on the Microsoft Security Response Center blog. “Securing this platform is a top priority for the browser team.”
Microsoft said the Project Spartan bounty will pay up to $15,000 for remote code execution and sandbox escape vulnerabilities, and for design-level bugs. The bounty expires June 22, and payouts will depend on the severity of the issue and how reproducible it is, Microsoft said.
In addition to announcing the new Project Spartan bounty, Microsoft said it was expanding its Online Services Bug Bounty Program to include Microsoft’s cloud platform, Azure, and Sway.com, a web-based collaboration platform. Microsoft said that Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory and more are in scope. Microsoft said that it has also raised the maximum payout for its Online Services Bug Bounty to $15,000 for critical vulnerabilities.
The company also expanded what’s in scope for its Mitigation Bypass and Bonus Bounty for Defense programs to include Hyper-V escape, formerly known as Windows Server Virtualization. Guest-to-host, guest-to-guest and guest-to-host denial of service bugs are in scope for this bounty, Microsoft said, which pays up to $100,000 active mitigation bypasses, and $50,000 for defense techniques against those bypasses.
Microsoft has made two such large payouts this year already. In March, NSFOCUS researcher Yunhai Zhang was awarded $75,000 for a mitigation bypass, the second researcher from the company to win a bounty from Microsoft.
In February, HP ZDI researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, earning $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense.