Last month, Microsoft launched a bug bounty program for the Edge web browser that focused on finding remote code execution vulnerabilities. The company has now expanded this program, offering hackers and researchers monetary rewards for different types of security flaws that they find. Here’s what you need to know.
Earlier this year, Microsoft Edge was found to have a vulnerability that kept track of websites users were visiting even when they were using the browser on InPrivate mode. While the security flaw was quickly fixed, the bug was found several months after the launch of Edge. Not a good look.
Unwilling to repeat the same mistake, Microsoft is getting serious about securing Edge with this new bug bounty program. The expanded program now rewards hackers and researchers for the following types of vulnerabilities:
- Same Origin Policy bypass vulnerabilities (example: UXSS)
- Referer Spoofing vulnerabilities
- Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview
- Vulnerabilities in open source sections of Chakra
All bugs must be reproducible on the latest Windows Insider Preview (Slow track).
The bounty program will run until May 15, 2017. Vulnerabilities on UXSS and referer spoofing submitted to Microsoft after August 4, 2016 will be retroactively rewarded.
Bounty rewards range from US$500 to US$15,000. If a researcher reports a vulnerability that has already been found by Microsoft internally, they will still be paid provided that they are the first external party to report it.
You can find how to enter the Edge bounty program over at Microsoft.