Secure research starts with responsible testing.
XBOX Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
The Xbox Bounty Program invites gamers and security researchers to identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty awards of $1,250 to $20,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
Identify a previously unreported vulnerability that reproduces in our latest, fully patched version of Xbox Live network and services at the time of submission.
We request researchers include the following information to help us quickly assess their submission:
Submit through the MSRC Researcher Portal.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
Vulnerabilities submitted in the following products and services are eligible under this bounty program:
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.
Sign up for an Xbox network account. We recommend creating one or more test accounts to conduct security vulnerability research.
Access to a Xbox 360, Xbox One, Xbox One S or Xbox One X is not required for testing but may be useful. Please note, consoles will not be provided for testing purposes.
Access to a Xbox Gold, Project xCloud, Xbox Game Pass, Xbox Game Pass for PC or Xbox Game Pass Ultimate account is not required for testing but may be useful. Please note, paid accounts will not be provided for testing purposes.
Follow Xbox on X, Xbox community site and forums to learn about the latest features and releases.
BOUNTY AWARDS
Bounty awards range from $1,250 up to $20,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.
| Severity | |||||
|---|---|---|---|---|---|
| Security Impact | Report Quality | Critical | Important | Moderate | Low |
| Remote Code Execution | High Medium Low | $20,000 $15,000 $10,000 | $15,000 $10,000 $6,000 | N/A | N/A |
| Elevation of Privilege | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | N/A |
| Security Feature Bypass | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | N/A |
| Information Disclosure | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Spoofing | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Tampering | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Denial of Service | High/Low | Out of Scope | |||
Sample high- and low-quality reports are available here.
OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:
- Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of August 2021, for example, these include, without limitation:
- Vulnerabilities that rely on Akamai ARL misconfiguration
- Out-of-Scope vulnerability types, including:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Issues relating to Fraud
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications
- Vulnerabilities in Mixer, GamePass, xCloud, Xbox.com
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service
- Vulnerabilities in third-party sites which are not owned by Microsoft and sites that pertain to marketing efforts
- Training, documentation, samples, and community forum sites related to Microsoft XBOX Bounty Program products and services are out-of-scope for bounty awards
- Vulnerabilities in Microsoft game studios, including but not limited to:
- compulsiongames.com
- doublefine.com
- inxile.net
- ninjatheory.com
- obsidian.net
- playground-games.com
- undeadlabs.com
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
REVISION HISTORY
- January 30, 2020: Launched Xbox Bounty
- August 26, 2021: Added to out of scope - vulnerabilities that rely on Akamai ARL misconfiguration.
- May 13, 2025: Updated Research Rules of Engagement section.