Microsoft Security Response Center MSRC announces XBOX Bug Bounty Program.
Microsoft invites gamers, security researchers, and technologists for Xbox bounty program from around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD).
The reward program starts from $500 to $20,000 USD to finding security vulnerabilities in Xbox network.
Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000, said, Chloe Brown, Program Manager, MSRC.
“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service. The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers.”
Public bounty programs are a valuable approach which combine with ongoing internal testing, private programs and knowledge shared by partners to produce a secure ecosystem to play in.
Bounty awards range starts from $500 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.
The following are examples of vulnerabilities that may lead to one or more of the above security impacts:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Demonstrable exploits in third party components
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying and out of date library would not qualify for an award.
N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category/
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC).
Microsoft recognize that some issues are extremely difficult to reproduce and understand; this will be considered when reviewing the quality of each submission.
The following activities are prohibited under the Xbox Bounty Program:
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Gaining access to any data that is not wholly your own. For example, you are allowed and encouraged to create a small number of test accounts for the purpose of demonstrating and proving cross-account access. However,
- it is prohibited to use one of these accounts to access the data of a legitimate customer or account.
- Moving beyond minimally necessary “proof of concept” repro steps for server-side execution issues
- Attempting phishing or other social engineering attacks against our employees or Xbox customers.
- Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
Out of Scope Vulnerabilities
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community.
Out of Scope vulnerability types, including:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Issues relating to Fraud
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)