The launch of the new program was announced in a blog entry by the Microsoft Security Response Center
“Since 2012, we have launched multiple bounties for various Windows features,” the MSRC blog entry said.
“Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”
“Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty,” the blog entry states.
The expanded “sustained” bug bounty program will offer up to US$15,000 for the discovery of vulnerabilities in Windows 10 Insider Preview slow ring.
“This is an umbrella Windows bounty program with various sustained and time bound focus areas,” states the program’s T&Cs.
Of the five vulnerability types covered by the program, remote code execution stands to deliver the biggest rewards of up to $15,000; followed by privilege elevation vulnerabilities (up to $10,000); and information disclosure, remote denial of service and tampering/spoofing (all up to $5000).
It builds on existing programs covering Hyper-V, Windows Defender Application Guard, the Edge browser, and Microsoft’s Mitigation Bypass Bounty and Bounty for Defense Program, with those four programs now dubbed ‘focus areas’.
Discovering vulnerabilities in Hyper-V remains the most lucrative, potentially netting a security researcher up to $250,000.
Microsoft launched its first bug bounty program in 2013, offering cash for Internet Explorer 11 bugs.
Apple last year launched an invite-only bug bounty program, with up to $250,000 on offer for iOS and iPhone vulnerabilities.