Last week Microsoft revealed it has added scenario-based incentives to the Windows Insider Preview (WIP) Bounty Scheme, with a top $100,000 bounty.
As part of the WIP project, Microsoft encourages qualifying researchers to identify bugs in the Windows Insider Preview Dev Channel, with general incentives ranging from $500 for denial-of – service (DoS) problems to $5,000 for remote code execution flaws.
Today, however, there are five examples for attacks that can reward researchers between $20,000 and $100,000. The full bounty is awarded to show a remote attack in which an unauthenticated attacker performs non-sandboxed execution of arbitrary code without any user interaction.
Hackers will earn $50,000 if they demonstrate how a remote intruder might access private user data ( e.g. files, images, or emails) with no user intervention, or with minimal user interaction, such as persuading the target to visit a malicious website.
A reward of $30,000 is provided for a remote attack that results in data loss or a persistent DoS state with no user interaction.
Microsoft is prepared to pay up to $20,000 for a sandbox escape with little to no user intervention and access to private user data from a sandboxed method without user interference, as with local attack vectors.
Microsoft also confirmed that it has made several improvements which will lead to quicker assessments and reviews of bounties.
“To allow faster triage and analysis of WIP bounty submissions and eventually get awards to researchers faster, we ask that all Windows vulnerability reports indicate whether the problem reproduces on WIP Dev Channel, and include the build and revision string in your report,” Jarek Stanley, senior MSRC program manager, explained in a blog post.
“We suggest using the MSRC Researchcher Portal to submit vulnerabilities to Microsoft for further pace bounty analysis. We have modified the portal user interface to streamline data communication required to triage, review, and grant bounty for qualified submissions. When you think you have discovered a vulnerability that qualifies for a scenario-based bounty award, there are new fields in your report in the MSRC Researcher Portal that will show the scenario, “Stanley added.