Google and Apple may offer white hat hackers and researchers up to $200,000 for reporting vulnerabilities in their respective systems, but Microsoft has them beat when it comes to the highest payout. The Redmond company’s new Windows Bounty Program offers a maximum reward of up to $250,000 for those who discover serious Hyper-V vulnerabilities.
A quarter of a million dollars is a long way from the $50,000 top award Microsoft offered when its bug bounty program began back in 2013. The figure has increased over the years as the initiative expanded.
To receive the highest payout, users must identify an original and previously unreported vulnerability in Hyper-V that allows for remote code execution and impacts the hypervisor and host kernel. But Microsoft notes that the flaw needs to work on the latest release of the Windows Insider Preview slow ring to be eligible.
The lowest amount available for reporting security issues is $500. Awards will be paid out for “any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security.”
Reporting a remote code execution bugs found within a Windows Insider Preview or Edge can result in a reward of up to $15,000. Critical vulnerabilities in Windows Defender Application Guard can bring in up to $30,000. The price rises to $100,000 for those who “submit a novel mitigation bypass against [Microsoft's] latest Windows platform.”
Should someone report a vulnerability that has already been discovered internally by a Microsoft employee (one that's not been publicly disclosed, presumably), 10 percent of the maximum cash reward will be handed out.
Last year, Apple finally announced it was starting a bug bounty program of its own. It said that bugs in its systems were becoming too difficult to find, and would offer cash ranging from $20,000 - $200,000 to researchers who discovered vulnerabilities.