Microsoft will pay researchers up to $15k for Edge bugs forever

Microsoft has upgraded its temporary bug bounty for Windows 10 Edge to a permanent program. 

The new permanent status follows a 10 month time-limited bounty for Edge that has seen Microsoft pay $200,000 to researchers for reports of bugs worth between $500 and $15,000 each. Microsoft hasn’t revealed how many valid reports it received other than to say it there were “many high quality reports”.

Bugs in Edge netted researchers the highest payouts in this year's Pwn2Own contest by Trend Micro, while attempts to hack Chrome failed.     

Microsoft launched the Edge Web Platform bug bounty in August last year, allowing researchers to report bugs in the browser on the latest version of the Windows Insider Preview. 

It encouraged researchers to find remote code execution (RCE), same origin policy bypass vulnerabilities (example: UXSS), and referrer spoofing vulnerabilities. 

The same basic rules still apply today; to be eligible for payment researchers must find bugs that are reproducible on the slow track of the Windows Insider Preview. 

The Edge bounty is one of seven programs Microsoft is currently running. It was was the third focussed on its browsers. The company has paid researchers a total of $1.5 million since its first bounty in 2013. 

Several major platforms have launched, relaunched or significantly raised bug bounty payments over the past year. 

Firefox maker Mozilla was one of the first internet firms to pay researchers to report bugs, launching a program in 2004 that paid researchers $500 for bugs in Firefox. In May it relaunched a bounty, offering up to $5,000 for critical remote code execution bugs in its key websites. 

Google has paid $3 million to researchers since its first bounty program in 2010 for bugs in Chrome, its websites, and Android. Earlier this month it jacked up payments for the most severe bugs in Android. Bugs that lead to a Verified Boot hack were increased from $50,000 to $200,000, remote kernel exploits moved from $30,000 to $150,000. 

Google’s top pay level for dangerous Android exploits matched Apple’s offer of up to $200,000 for critical bugs in iOS secure boot firmware components. Apple kicked off its private bug bounty program late last year.     

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftGoogleAppleFirefoxmozillachromecyber securitybugs and security failures

More about AppleGoogleMicrosoftMozillaTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts