Microsoft Edge Bounty Program
PROGRAM DESCRIPTION
The Microsoft Edge Bounty Program welcomes individuals across the globe to seek out and submit vulnerabilities unique to Microsoft Edge based on Chromium. Qualified submissions are eligible for bounty rewards of $250 USD to $30,000 USD.
This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions.
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
The goal of the Microsoft Edge Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge based on Chromium which have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a previously unreported vulnerability that is unique to Microsoft Edge based on Chromium, in the Dev, Beta, or Stable channels, and which does not reproduce on the equivalent channel of Google Chrome.
- Vulnerabilities must be reproducible on the latest version of Microsoft Edge at the time of submission running on the latest, fully patched version of Windows (including Windows 10), Linux, MacOS, Android, or iOS. Testing in Windows Insider Preview is not required.
- Include the version number of Microsoft Edge used to reproduce the vulnerability (e.g. Version 77.0.188.0 (Official build) dev (64-bit), and the version number of Chrome used to verify that it does not reproduce on Chrome. Eligible version numbers of Microsoft Edge will begin with at least 77 or higher.
- Demonstrable exploits in Microsoft Edge WebView2 are eligible for consideration under this bounty program.
- The eligible Microsoft Edge WebView2 SDKs and runtimes are:
- WebView2 prerelease and release SDK
- Evergreen WebView2 runtime, and the runtimes in Dev and Beta channel of Microsoft Edge
- Vulnerabilities must be reproducible on the latest WebView2 SDKs and runtimes at the time of submission, running on the latest, fully patched version of Windows (including Windows 10).
- Include the version number of WebView2 SDK (e.g. 1.0.1905-prerelease or 1.0.2088.41) and the WebView2 runtime (e.g. Version 114.0.1823.79) used to reproduce vulnerability.
- The eligible Microsoft Edge WebView2 SDKs and runtimes are:
- Demonstrable exploits in third party components that repro in Microsoft Edge but not in Chrome are also eligible for consideration under this bounty program.
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying and out of date library would not qualify for an award.
- Include concise reproducibility steps that are easily understood, either in writing or in video format
- This allows submissions to be processed as quickly as possible and supports the highest bounty awards.
- Must provide Proof of Concept (PoC) with submission.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
GETTING STARTED
Download the next version of Microsoft Edge and follow the browser vulnerability research blog, Microsoft Edge team blog, community forums, GitHub, Microsoft Edge Insider page, and Twitter to learn about the latest features and releases.
There are several features in Microsoft Edge on Chromium that are unique to Edge and may be good places to start looking for Microsoft bounty eligible vulnerabilities. Below are a few examples:
- Internet Explorer (IE) Mode: This feature allows enterprise administrators to maintain a trusted list of sites allowed to be open in IE Mode within the Edge browser. This feature requires a supported version of Windows. See the new Microsoft Edge documentation for more details on this feature.
- PlayReady DRM: This feature allows the new Microsoft Edge to show media content protected with PlayReady DRM (in addition to the WideVine DRM, which is also supported by Google Chrome).
- Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD): This feature allows users to sign into the browser with an MSA or AAD can enable syncing across devices and other personalization. Vulnerabilities affecting Microsoft Identity services will be reviewed and awarded under the Microsoft Identity bounty program if eligible.
- Application Guard: Vulnerabilities affecting Application Guard will be reviewed and awarded under the Windows Defender Application Guard bounty program if eligible. Vulnerabilities resulting in escape from the WDAG container to the host are eligible for up to $30,000.
- Edge PDF: Microsoft Edge’s bespoke PDF viewer powered by Adobe Acrobat.
- Microsoft Edge WebView2: Download the Evergreen runtime and set up your development environment for WebView2. Refer to the WebView2 documentation to learn more about WebView2. Follow the WebView2 Release Notes, WebView2Feedback and WebView2Announcements GitHub repositories to learn about current issues, latest feedback and releases.
HOW ARE PAYMENT AMOUNTS SET?
Bounty awards range from $250 up to $30,000. Higher awards are possible, at Microsoft’s sole discretion, based on entry quality and complexity. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.
| Security Impact | Report Quality | Severity1 | |
|---|---|---|---|
|
Critical and Important |
Moderate |
||
| Sandbox Escape |
High Medium Low |
$30,000 $25,000 $20,000 |
$5,000 $3,000 $1,000 |
| Application Guard Container Escape |
Windows Defender Application Guard Bounty Program (up to $30,000) |
||
| Information Disclosure |
High Medium Low |
$20,000 $10,000 $7,000 |
$3,000 $1,000 $500 |
| Security Feature Bypass |
High Medium Low |
$20,000 $10,000 $7,000 |
$3,000 $1,000 $500 |
| Renderer Process Remote Code Execution (RCE) |
High Medium Low |
$10,000 $8,000 $5,000 |
$2,000 $800 $500 |
| Spoofing/Tampering |
High Medium Low |
$7,500 $3,000 $1,000 |
$1,000 $500 $250 |
| Denial of Service |
High/Low |
Out of Scope |
1If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded. If the user interactions or preconditions required are unlikely, a bug may not qualify for an award.
* A vulnerability in Microsoft Edge based on Chromium where an attacker has remote access to a victim’s computing device and make changes, no matter where the device is geographically located
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
- Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerabilities that reproduce in Chrome at the time of submission
- Vulnerabilities that only reproduce in Canary or earlier builds at the time of submission
- Vulnerabilities in any versions of Internet Explorer
- Vulnerabilities in any version of Microsoft Edge based on EdgeHTML (versions of the Edge up to and including version 45).
- Vulnerabilities in user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in experimental features, such as those listed in edge://flags
- Vulnerabilities where SmartScreen does not detect malicious files on platforms other than Windows
- Vulnerabilities which highlight signaturing differences between Microsoft Edge’s SmartScreen and other browsers may not be eligible for an award
- Vulnerabilities which require disabling or downgrading default and/or recommended security mitigations or mechanisms. For example:
- Disabling existing Edge browser security features
- Disabling Sandbox in Edge WebView2
Microsoft may accept reject any submission that it determines, at its sole discretion, falls into any of these categories.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
REVISION HISTORY
- Aug 20, 2019: Bounty program launched. Removed reference to MemGC.
- Jan 15, 2020: Increased awards for Information Disclosure, Security Feature Bypass, and Spoofing/Tampering and changed Elevation of Privilege to Sandbox Escape. Renamed from “Edge Insider Bounty Program” to “Edge Bounty Program” alongside general availability of the new version of Edge.
- Oct 19, 2020: Added Edge running on the latest version of Linux to bounty scope.
- Sept 2, 2021: Added Edge running on Android and iOS to bounty scope.
- Oct 21, 2021: Added moderate severity issues to bounty scope.
- Mar 2, 2022: Clarified that issues requiring user interaction may be assessed as lower severity.
- Apr 19, 2023: Added Microsoft Edge’s bespoke PDF viewer, SmartScreen out-of-scope details and signaturing differences between Microsoft Edge’s SmartScreen and other browsers.
- March 25, 2024: Added Microsoft Edge WebView2 eligibility and out-of-scope details