Microsoft is offering rewards of up to $30,000 to find security bugs in its Edge browser. With a hefty load of cash on the line, pending severity and report quality, the Microsoft Edge Insider Bounty Program is hoping to lure in entrepreneurial hackers to clean up its Chromium-based browser.
Microsoft is currently in the process of a major renovation project with Edge. Rather than stick it out with EdgeHTML, Microsoft is now opting for the open-source Chromium engine that makes up most of Google Chrome’s backend, and it’s hoping this will be the key to scraping back some of the browser market share it’s lost over the years to the likes of Chrome and Firefox.
To do that requires an accelerated development path to get Edge up to speed with the competition, and that means some serious bug and vulnerability testing along the way to ensure the browser stays safe and secure. The bug bounty program is looking out for various attacks, with remote code execution and elevation of privilege attacks of the utmost important – and value.
Microsoft is offering the full $30k to any elevation of privilege + WDAG container escape vulnerability rated to critical severity. Beyond that, rewards range from $15,000 to $5,000 for critical flaws, and $10,000 to $1,000 for important flaws.
That’s not to say one such flaw exists in Microsoft’s code, however. After all, the open-source Chromium backend is also responsible for a great deal of a browser’s security, and Microsoft will only pay out if any displayed vulnerability can only be shown to work on Edge and no other Chromium browsers.
| Security Impact | Report Quality | Severity | |||
|---|---|---|---|---|---|
| Critical | Important | Moderate | Low | ||
| Elevation of Privilege + WDAG container escape | Up to $30,000 under the Windows Defender Application Guard Bounty Program | ||||
| Elevation of Privilege |
High Medium Low |
$15,000 $13,000 $8,000 |
$10,000 $8,000 $5,000 |
$0 | $0 |
| Remote Code Execution |
High Medium Low |
$10,000 $8,000 $5,000 |
$7,000 $4,000 $1,000 |
$0 | $0 |
| Information Disclosure |
High Medium Low |
$10,000 $8,000 $5,000 |
$6,000 $3,000 $1,000 |
$0 | $0 |
| Spoofing/Tampering |
High Medium Low |
N/A |
$6,000 $3,000 $1,000 |
$0 | $0 |
| Security Feature Bypass | Awarded based on resulting impact of the bypass | $0 | $0 | ||
| Denial of Service | High/Low | Out of Scope |
Microsoft is offering some insight into the best places to look for bugs, however. These include features like Internet Explorer Mode, PlayReady DRM, Microsoft Account sign-in and Azure Active Directory, and Application Guard, which are all implementations either unique to, or heavily coded by Microsoft for, the Edge browser.
Finding bugs can be big business. Intel similar offers a bug bounty program, which has recently taken a crucial role for the company following CPU security disclosures such as the Meltdown and Spectre.
If you want to give Edge a whirl – PCGN’s hardware overlord Dave reckons it’s worth a go – then you’ll want to head over to the Edge Insider website. Microsoft is currently trialling Microsoft Edge on Chromium via its Beta, Canary, and Dev channels, each updated on a different cadence to ensure stability. Beta is your best bet, with a six week update cycle. Meanwhile Canary is updated daily, occasionally breaking everything in the process. Pick your poison.
Sound interesting? Discuss this story over on Facebook and Twitter.