Microsoft Xbox has announced a new bug bounty program in an attempt to use the public’s help to identify critical bugs in the Xbox software ecosystem. The bounties will be decided according to the severity of the bug, its security impact and the quality of report submitted by the researcher (bounty hunter).
Many companies have announced bug bounty programs in the past as a way of finding critical problems in their software systems. In this program, there are multiple tiers of security impacts, from Remote Code Execution to Tampering. Each security impact has its bounty rewards decided by its severity ranging from critical to low and three levels of report quality.
To qualify for an eligible submission, a researcher must identify a previously unreported vulnerability that can be reproduced in that latest, fully patched version of Xbox Live network and services at the time of submission. The report must also include clear, concise, and reproducible steps, either in writing or in video format.
Some examples offered by Microsoft for vulnerabilities include Cross site scripting (XSS), Cross site request forgery (CSRF), Insecure direct object references, Insecure deserialization, etc. Those interested in providing submissions may do so using the MSRC Submission portal, following the recommend format in Microsoft’s submission guidelines.