Microsoft has announced the launch of the Xbox Bounty Program for gamers and cyber-security researchers to help identify security vulnerabilities in the Xbox Live network and services. In a blog post published Thursday, the company said that the goal of the bug bounty program is “to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Microsoft’s customers”, and qualified submissions will be eligible for bounty rewards of $500 to $20,000.
As with most bug bounty programs, the vulnerabilities have to be previously unreported and, must be reproducible on the latest, fully-patched version of the company’s Xbox Live network and services at the time of submission. They’ll also have to directly affect the security of Xbox users, which means Remote Code Execution flaws that are the top of the heap in terms of severity, will earn the maximum reward. Others, like privilege elevation, bypassing of security features and spoofing will earn smaller rewards between $1,000 and $5,000.
Out-of-scope vulnerabilities include Denial-of-Service issues because that will require researchers to carry out DoS/ DDoS testing, thereby interfering with the company’s services. The company also says that server-side information disclosure, low-impact CSRF bugs, sub-domain takeovers, cookie replay vulnerabilities, basic URL redirects and anything that involves phishing or social engineering attacks against Microsoft employees or customers are also ineligible for rewards under the program.
The Xbox bug bounty program comes just a few months after the company rolled out a similar program for its Chromium-based Edge browser, with rewards of up to $30,000 for cyber-security researchers who can find vulnerabilities in the Dev and Beta channels of the software. The company also runs a number of other such programs for Windows, Office, .NET and more, but the highest rewards are reserved for vulnerability reports on Azure cloud services and Hyper-V virtualization servers.
