Think you’ve found a glaring security hole in Xbox Live? Microsoft is interested.
The company announced a new bug bounty program today, focused specifically on its Xbox Live network and services. Depending on how serious the exploit is and how complete your report is, they’re paying up to $20,000.
Like most bug bounty programs, Microsoft is looking for pretty specific/serious security flaws here. Found a way to execute unauthorized code on Microsoft’s servers? They’ll pay for that. Keep getting disconnected from Live when you play as a certain legend in Apex? Not quite the kind of bug they’re looking for.
Microsoft also specifically rules out a few types of vulnerabilities as out-of-scope, including DDoS attacks, anything that involves phishing Microsoft employees or Xbox customers, or getting servers to cough up basic info like server name or internal IP. You can find the full breakdown here.
This is by no means Microsoft’s first foray into bounty programs; they’ve got similar programs for the Microsoft Edge browser, their “Windows Insider” preview builds, Office 365, and plenty of other categories. The biggest bounties they offer are on their cloud computing service, Azure, where the bounty for a super-specific bug (gaining admin access to an Azure Security Lab account, which are closely controlled) can net up to $300,000.