Microsoft launches Windows bug bounty program with payouts of up to $250,000

Microsoft isn't new to bug bounty programs, having already implemented programs for Microsoft Edge and even Office Insiders. Now, the tech giant has launched a similar ongoing program for Windows generally, allowing security researchers to get paid for finding security flaws with payouts ranging from as little as $500 and as high as $250,000.

The program itself covers all features of the Windows Insider Preview, and comes in addition to programs focus specifically on the likes of Hyper-V, Windows Defender Application Guard, Microsoft Edge and more. Rather than running for a limited time, the Windows Bounty Program will continue indefinitely, following the lead of the Microsoft Edge program that was recently extended indefinitely as well.

Highlights include:

  • Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer's privacy and security will receive a bounty
  • The bounty program is sustained and will continue indefinitely at Microsoft's discretion
  • Bounty payouts will range from $500 USD to $250,000 USD
  • If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could've received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)

As with all of Microsoft's bounty efforts, you can find the current status of active programs and their associates payouts and status at the dedicated MSRC Security TechCenter site.