21, Aug, 2019
Microsoft will pay hackers up to 30K USD to find flaws in the new Edge browser
The Microsoft Edge browser was released in beta, and the tech giant is running a bug bounty program for researchers to find major vulnerabilities.
On Tuesday, Microsoft released the official beta of its Chromium-based Edge browser, opening it up to any machine running Windows 10, 7, 8/8.1, and/or macOS. To improve the browser and keep it free of security flaws, the company also announced the launch of the Microsoft Edge Insider Bounty Program, welcoming researchers and ethical hackers to find and disclose high-impact vulnerabilities they find in the browser, with rewards of up to $30,000 for certain vulnerabilities in the Dev and Beta channels.
Organizations including Microsoft, HP, Dropbox, Google, and the US Air Force have run bug bounty programs in recent years, attempting to discover vulnerabilities before malicious hackers do. These programs also offer a chance for researchers to hone penetration testing skills and earn extra money.
The Microsoft Edge Insider Bounty Program will complement the Chrome Vulnerability Reward Program, so any vulnerability that reproduces on Edge but not Chrome will be reviewed for bounty eligibility, based on severity, impact, and report quality, according to a Tuesday blog post from Microsoft.
Reports of valid vulnerabilities impacting the next version of Microsoft Edge will receive a 2X bonus multiplier in the Microsoft Security Response Center Researcher Recognition Program, the post noted.
To be eligible for the bounty program, vulnerabilities must reproduce in the latest fully patched version of Windows, including Windows 10, Windows 7 SP1, or Windows 8.1, or MacOS (Windows Insider Preview is not required). The program will reward researchers for their work upon assessment and completion of reproduction, according to the post.
Critical and important vulnerabilities in Microsoft Edge Beta and Dev channels will net researchers up to $30,000. Critical remote code execution and design issues in Microsoft Edge in the Windows Insider Preview Slow ring will earn you up to $15,000, according to the post.
"We're excited to expand our bounty programs today to include the next version of Microsoft Edge and continue to grow and strengthen our partnership with the security research community," Jarek Stanley, senior program manager of the Microsoft Security Response Center, wrote in the post.