Announcing the Microsoft Edge Insider Bounty

This week, we released the first Beta preview of the next version of Microsoft Edge. Alongside this, Microsoft is excited to announce the launch of the Microsoft Edge Insider Bounty Program. We welcome researchers to seek out and disclose any high impact vulnerabilities they may find in the next version of Microsoft Edge, based on Chromium, and offer rewards up to US$30,000 for eligible vulnerabilities in Dev and Beta channels.

• We aim to complement the Chrome Vulnerability Reward Program, so any report that reproduces on the latest version of Microsoft Edge but not Chrome will be reviewed for bounty eligibility based on severity, impact, and report quality.
• Valid reports affecting the next version of Microsoft Edge will receive a 2X bonus multiplier in the Researcher Recognition Program.
• Faster rewards: the new Microsoft Edge bounty program will provide bounty will award upon completion of reproduction and assessment of each submission.

The new bounty program will run alongside the existing Microsoft Edge (EdgeHTML) on Windows Insider Preview bounty program. Vulnerabilities that reproduce in the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS may be eligible for the Microsoft Edge Insider bounty program. Windows Insider Preview is not required.

Program

Eligible Vulnerabilities

Award Range

Microsoft Edge Insider Bounty Program

Critical and important vulnerabilities in Microsoft Edge (Chromium-based) Beta and Dev channels.

Up to $30,000

Microsoft Edge (EdgeHTML) on Windows Insider Preview

Critical remote code execution and design issues in Microsoft Edge (EdgeHTML) in Windows Insider Preview Slow ring.

Up to $15,000

We’re excited to expand our bounty programs today to include the next version of Microsoft Edge and continue to grown and strengthen our partnership with the security research community.

Happy Hacking!

Jarek Stanley, Senior Program Manager, MSRC