Microsoft today launched an Xbox bug bounty program wherein it would offer to pay any amount between $500 and $20,000 for any of bugs caught within the Xbox live network as well as within its services. The amount paid would depend upon the severity of the bug. The lowest amount would be $500, and the highest would be $20,000.
Microsoft has given everyone the freedom to report any kind of issues that they come across while using the Xbox live network. This holds true even for gaming experts as well as people who are well trained in the field of network security.
Chloe Brown, who is the Program Manager at the Microsoft Security Response Center (MSRC), states that people reporting issues of any sort need to submit a proof of concept (POC) which is clear and concise and clearly explains the bug and the severity that it holds. The POC would be essential to know the depth of the issue and its effects. This would also be helpful for the Xbox team to recreate the issue before proceeding further to fix the same.
The rule of the entire bug bounty program states that “Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission.”
The bug bounty program would be applicable to the backend schema of the Xbox live cloud. Rewards for these bugs would be determined on the basis of the quality of the bug report, the security impact of the bug on the system, and the severity of the issue. For example, in case an issue is related to the “Remote Code Execution”, quality of the bug report is “High”, and its severity is “Critical”, then the reward amount is $20,000. Likewise, consider the same parameters as above except that the severity is “Important” instead of “Critical”, then the reward amount would be $15,000.
Any restrictions for receiving the bug bounty reward?
Of course, all rewards come with a few terms and conditions coupled with some restrictions. Microsoft does not encourage those bug finders who try to indulge in any kind of phishing activity. Microsoft is also against Xbox users and engineers who try to explore the entire Xbox area beyond the minimal accessible area in order to locate and report bugs. Microsoft is also against those bug finders who try to locate and access critical Xbox data and try to download the same.
The Xbox platform is pretty active from around 2012. Although Microsoft was one of the tech giants to start a bug bounty program of this sort, Xbox was never a part of it initially.
As of today, various people have been rewarded as a part of the bug bounty program. Bug finders have reported issues in products like Windows Operating System, the Office suite, the IE and Edge web browsers, Microsoft vast array of cloud services, the Hyper-V hypervisor technology, and the ElectionGuard open-source voting software. The Xbox live network is just another addition to the above list.
An earlier report even stated that Microsoft had shelled out about $2,000,000 as a part of the bug bounty program sometime in 2018.
Image Source: The Verge