Microsoft has launched a bug bounty program especially for Xbox Live network and services, and it’s paying bug hunters up to $20,000. Like any other bug bounty program, the payout depends on the security vulnerability’s severity and starts at $500.
The biggest payouts will be handed out for critical remote code execution and elevation of privilege flaws, while security feature bypasses, information disclosure, spoofing, and tampering will all include rewards up to $5,000. As Microsoft is opening this up to gamers and anyone who has the skills to find flaws, it’s expecting high-quality reports with a detailed write-up or video demonstration, and a clear proof of concept. Microsoft isn’t looking for people to perform DDoS testing, social engineering attacks, or going too far on server-side execution issues.
Those who want to send in a submission will have to include reproducible steps to be able to claim a reward. And while the program covers quite a few different types of vulnerabilities, some things are out of scope, such as DDoS issues and URL Redirects.
The Xbox Live program is but one of the bug bounty programs Microsoft is running for its products and services. Some of them have a reward cap of $15,000, but the biggest program overall promises up to $300,000 for the most severe vulnerabilities found in the company’s Azure cloud computing services.
