Microsoft announces the launch of a bug bounty program for Xbox

Pierluigi Paganini February 02, 2020

Microsoft announced the launch of an Xbox bug bounty program with rewards of up to $20,000 for critical remote code execution flaws.

Microsoft is going to launch an Xbox bug bounty program that will pay rewards of up to $20,000 for critical remote code execution vulnerabilities.

“The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.” reads the program description.

“Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.”

The bug bounty program will pay for vulnerabilities in the Xbox Live network and services. The list of eligible types of vulnerabilities Cross site scripting (XSS), Cross-site request forgery (CSRF), IDOR, insecure, injection, server-side code execution, and significant security misconfiguration (when not caused by user).

The vulnerabilities can lead to remote code execution, elevation of privileges, security bypass, information disclosure, spoofing, or tampering. Denial-of-service (DoS) flaws are out of scope.

Bounty awards range from $500 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.

Security ImpactReport QualitySeverity
CriticalImportantModerateLow
Remote Code ExecutionHighMediumLow$20,000 $15,000 $10,000$15,000 $10,000 $5,000N/AN/A
Elevation of PrivilegeHighMediumLow$8,000
$4,000
$3,000
$5,000 $2,000 $1,000$0N/A
Security Feature BypassHighMediumLowN/A$5,000
$2,000
$1,000
$0N/A
Information DisclosureHighMediumLowN/A$5,000
$2,000
$1,000
$0$0
SpoofingHighMediumLowN/A$5,000 $2,000 $1,000$0$0
TamperingHighMediumLowN/A$5,000
$2,000
$1,000
$0$0
Denial of ServiceHigh/LowOut of Scope

Hackers that report remote code execution flaws can earn between $5,000 and $20,000, while privilege escalation vulnerabilities could be rewarded with payouts between $1,000 and $8,000. The remaining issues will be paid between $1,000 and $5,000.

Microsoft will review every submission on a case-by-case basis, anyway, some common low-severity issues that are out of scope and that typically do not earn bounty rewards are:

  • Server-side information disclosure such as IPs, server names and most stack traces
  • Low impact CSRF bugs (such as logoff)
  • Denial of Service issues
  • Issues relating to Fraud
  • Sub-Domain Takeovers
  • Cookie replay vulnerabilities
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)

“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service. The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers,” reads the announcement published by Microsoft.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Xbox, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment