“We’re excited to expand our bounty programs today to include the next version of Microsoft Edge and continue to grow and strengthen our partnership with the security research community,” Jarek Stanley, senior program manager at Microsoft, said in a Tuesday post. “We welcome researchers to seek out and disclose any high-impact vulnerabilities they may find in the next version of Microsoft Edge, based on Chromium, and offer rewards up to US $30,000 for eligible vulnerabilities in Dev and Beta channels.” Under the Microsoft Edge Insider Bounty Program, researchers can earn between $1,000 up to $30,000 for finding critical and important vulnerabilities in Microsoft’s Edge Dev and Beta channels. Microsoft said that aimed to complement Google’s existing Chrome Vulnerability Reward Program, which also offers a top reward of $30,000 for a high quality bug report. Additionally, the new bounty program will run along with the existing Microsoft Edge (EdgeHTML) on Windows Insider Preview bounty program that offers a top reward of $15,000, the tech giant added. “The goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge which have a direct and demonstrable impact on the security of our customers,” Microsoft said. To be eligible for a reward in the Chromium-based Edge bounty, the vulnerabilities submitted by the researchers must meet the following criteria(s):
Identify a previously unreported vulnerability that is unique to Microsoft Edge based on Chromium, in the Beta or Dev channels, and which does not reproduce on the equivalent channel of Google Chrome. Vulnerabilities must be reproducible on the latest version of Microsoft Edge at the time of submission running on the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS at the time of submission. Include the version number of Microsoft Edge used to reproduce the vulnerability (e.g. Version 77.0.188.0 (Official build) dev (64-bit), and the version number of Chrome used to verify that it does not reproduce on Chrome. Eligible version numbers of the next version of Microsoft Edge will begin with at least 77 or higher.
Demonstrable exploits in third party components that repro in Microsoft Edge but not in Chrome are also eligible for consideration under this bounty program. Testing in Windows Insider Preview is not required. Requires full proof of concept (PoC) of exploitability. For example, simply identifying and out of date library would not qualify for an award.
Include concise reproducibility steps that are easily understood, either in writing or in video format. This allows submissions to be processed as quickly as possible and supports the highest bounty awards.
Must provide Proof of Concept (PoC) with submission.
Microsoft may accept or reject any submission at their sole discretion that they determine does not meet the above criteria(s). You can read more about the Microsoft Edge Insider Bounty Program and the rewards here. Further, those who are interested in the new beta version of Microsoft Edge, can download it from here. Source: Microsoft