14 DAY TRIAL // Microsoft has launched a bug bounty program for its new Chromium-based Microsoft Edge browser, with the company paying up to $30,000 in the case of an Elevation of Privilege with a high-quality report.
Microsoft is moving its browser to the Chromium engine, and this allows it to release Edge not only for Windows devices, but also on non-Windows platforms, including macOS.
At this point, the application is still in development, with a stable build expected later this year or in early 2020.
With the bug bounty program, Microsoft asks researchers to look for security vulnerabilities that are unique to the Chromium Microsoft Edge and do not exist in the equivalent version of Google Chrome. Only Beta and Dev builds are included in the browser, so researchers shouldn’t look for bugs in the Canary versions.
Payments are issued for bugs on Windows and macOS, as per the program’s rules detailed here.
Type of submissions
An Elevation of Privilege bug with a WDAG container escape and a critical severity is worth $30,000, while a standard Elevation of Privilege vulnerability can bring you $15,000 if a high-quality report is included.
Information Disclosure issues are worth $10,000, $8,000, and $5,000 respectively depending on the quality of the report if a critical severity rating is assigned.
Microsoft recommends researchers to focus on a series of features that are unique to the new Chromium Edge, such as Internet Explorer Mode, PlayReady DRM, support for Microsoft Account and Azure Active Directory, and Application Guard.
“The goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge which have a direct and demonstrable impact on the security of our customers,” Microsoft explains.
“Bounty awards range from $1,000 up to $30,000. Higher awards are possible, at Microsoft’s sole discretion, based on entry quality and complexity. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.”
The full rules of the bug bounty program are available on the page linked above, and you can download Microsoft Edge preview builds using this link.