Microsoft launches Windows bug bounty program with payouts of up to $250,000

Microsoft has launched a new bug bounty effort for Windows, offering to pay out thousands of dollars for any who finds eligible security flaws.

Microsoft isn't new to bug bounty programs, having already implemented programs for Microsoft Edge and even Office Insiders. Now, the tech giant has launched a similar ongoing program for Windows generally, allowing security researchers to get paid for finding security flaws with payouts ranging from as little as $500 and as high as $250,000.

The program itself covers all features of the Windows Insider Preview, and comes in addition to programs focus specifically on the likes of Hyper-V, Windows Defender Application Guard, Microsoft Edge and more. Rather than running for a limited time, the Windows Bounty Program will continue indefinitely, following the lead of the Microsoft Edge program that was recently extended indefinitely as well.

Highlights include:

  • Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer's privacy and security will receive a bounty
  • The bounty program is sustained and will continue indefinitely at Microsoft's discretion
  • Bounty payouts will range from $500 USD to $250,000 USD
  • If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could've received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)

As with all of Microsoft's bounty efforts, you can find the current status of active programs and their associates payouts and status at the dedicated MSRC Security TechCenter site.