This is the Trace Id: 995a8e388e6ed78a6319be23a57d4087
Skip to main content
MSRC

Secure research starts with responsible testing.

Microsoft Edge Bounty Program

Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers. 
 

IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and ConditionsMicrosoft Bounty Legal Safe HarborRules of EngagementCoordinated Vulnerability Disclosure (CVD)Bounty Program Guidelines, and the Microsoft Bounty Program page.

PROGRAM DESCRIPTION

The Microsoft Edge Bounty Program welcomes individuals to seek out and submit vulnerabilities unique to Microsoft Edge based on Chromium. Qualified submissions are eligible for bounty awards from $250 to $30,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

 

ELIGIBLE SUBMISSION?

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

We request researchers include the following information to help us quickly assess their submission:

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards: 

  • Identify a previously unreported vulnerability that is unique to Microsoft Edge based on Chromium, in the Dev, Beta, or Stable channels, and which does not reproduce on the equivalent channel of Google Chrome.
    • Vulnerabilities must be reproducible on the latest version of Microsoft Edge at the time of submission running on the latest, fully patched version of Windows (including Windows 10), Linux, MacOS, Android, or iOS. Testing in Windows Insider Preview is not required.
    • Include the version number of Microsoft Edge used to reproduce the vulnerability (e.g., Version 77.0.188.0 (Official build) dev (64-bit)), and the version number of Chrome used to verify that the vulnerability does not reproduce on Chrome. Eligible version numbers of Microsoft Edge will begin with at least 77 or higher. 
  • Demonstrable exploits in Microsoft Edge WebView2 are eligible for consideration under this bounty program.
    • The eligible Microsoft Edge WebView2 SDKs and runtimes are:
      • WebView2 prerelease and release SDK
      • Evergreen WebView2 runtime, and the runtimes in Dev and Beta channel of Microsoft Edge
    • Vulnerabilities must be reproducible on the latest WebView2 SDKs and runtimes at the time of submission, running on the latest, fully patched version of Windows (including Windows 10).
    • Include the version number of WebView2 SDK (e.g., 1.0.1905-prerelease or 1.0.2088.41) and the WebView2 runtime (e.g., Version 114.0.1823.79) used to reproduce the vulnerability.
  • Demonstrable exploits in third party components that repro in Microsoft Edge but not in Chrome are also eligible for consideration under this bounty program.
    • Requires full proof of concept (PoC) of exploitability.  For example, simply identifying an out-of-date library would not qualify for an award.
  • Include concise reproducibility steps that are easily understood, either in writing or in video format.
    • This allows submissions to be processed as quickly as possible and supports the highest bounty awards.
  • Must provide Proof of Concept (PoC) with submission.

Any vulnerabilities in AI systems found in Copilot Mode in Edge may be eligible for award under the Copilot Bounty Program.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. 

 

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:  

  • Microsoft Edge based on Chromium, in the Dev, Beta, or Stable channels
    • Vulnerability must not reproduce on the equivalent channel of Google Chrome

 

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.

Download the next version of Microsoft Edge and follow the browser vulnerability research blog, Microsoft Edge team blog, community forums, GitHub, Microsoft Edge Insider page, and Twitter to learn about the latest features and releases.

There are several features in Microsoft Edge on Chromium that are unique to Edge and may be good places to start looking for Microsoft bounty eligible vulnerabilities. Below are a few examples:

  • Internet Explorer (IE) Mode: This feature allows enterprise administrators to maintain a trusted list of sites allowed to be open in IE Mode within the Edge browser. This feature requires a supported version of Windows. See the new Microsoft Edge documentation for more details on this feature. 
  • PlayReady DRM: This feature allows the new Microsoft Edge to show media content protected with PlayReady DRM (in addition to the WideVine DRM, which is also supported by Google Chrome).
  • Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD): This feature allows users to sign into the browser with an MSA or AAD, which can enable syncing across devices and other personalization. Vulnerabilities affecting Microsoft Identity services will be reviewed and awarded under the Microsoft Identity bounty program if eligible. 
  • Edge PDF: Microsoft Edge’s bespoke PDF viewer powered by Adobe Acrobat.
  • Microsoft Edge WebView2: Download the Evergreen runtime and set up your development environment for WebView2. Refer to the WebView2 documentation to learn more about WebView2. Follow the WebView2 Release Notes, WebView2Feedback and WebView2Announcements GitHub repositories to learn about current issues, latest feedback, and releases. 

 

AWARDS

Bounty awards range from $500 up to $30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.

HIGH IMPACT SCENARIOS

 Severity1
Vulnerability TypeReport QualityCritical and ImportantModerate
Sandbox EscapeHigh
Medium
Low		$30,000
$25,000
$20,000		$5,000
$3,000
$1,000
 

GENERAL AWARDS

 Severity1
Vulnerability TypeReport QualityCritical and ImportantModerate
Information DisclosureHigh
Medium
Low		$20,000
$10,000
$7,000		$3,000
$1,000
$500
Security Feature BypassHigh
Medium
Low		$20,000
$10,000
$7,000		$3,000
$1,000
$500
Renderer Process Remote Code Execution (RCE)High
Medium
Low		$10,000
$8,000
$5,000		$1,000
$500
$250
Spoofing/TamperingHigh
Medium
Low		$7,500
$3,000
$1,000		$1,000
$500
$250
Denial of ServiceHigh/LowOut of Scope

1If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded. If the user interactions or preconditions required are unlikely, a bug may not qualify for an award.

A vulnerability in Microsoft Edge based on Chromium where an attacker has remote access to a victim’s computing device and make changes, no matter where the device is geographically located.

A high quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write-up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here

 

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.

If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.

Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:

  • Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
  • Vulnerabilities that reproduce in Chrome at the time of submission
  • Vulnerabilities that only reproduce in Canary or earlier builds at the time of submission 
  • Vulnerabilities in any versions of Internet Explorer
  • Vulnerabilities in any version of Microsoft Edge based on EdgeHTML (versions of the Edge up to and including version 45)
  • Vulnerabilities in user-generated content
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities in experimental features, such as those listed in edge://flags
  • Vulnerabilities where SmartScreen does not detect malicious files on platforms other than Windows
  • Vulnerabilities which highlight signaturing differences between Microsoft Edge’s SmartScreen and other browsers may not be eligible for an award
  • Vulnerabilities which require disabling or downgrading default and/or recommended security mitigations or mechanisms. For example:
    • Disabling existing Edge browser security features
    • Disabling Sandbox in Edge WebView2
  • Issues allowing users to break out of kiosk mode
  • Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service 
  • Training, documentation, samples, and community forum sites related to Microsoft Edge bounty program products and services are not in scope for bounty awards

Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.  

 

ADDITIONAL INFORMATION

For additional information, please see our FAQ.

 

REVISION HISTORY

  • Aug 20, 2019: Bounty program launched. Removed reference to MemGC.
  • Jan 15, 2020: Increased awards for Information Disclosure, Security Feature Bypass, and Spoofing/Tampering and changed Elevation of Privilege to Sandbox Escape. Renamed from “Edge Insider Bounty Program” to “Edge Bounty Program” alongside general availability of the new version of Edge.
  • Oct 19, 2020: Added Edge running on the latest version of Linux to bounty scope.
  • Sept 2, 2021: Added Edge running on Android and iOS to bounty scope.
  • Oct 21, 2021: Added moderate severity issues to bounty scope.
  • Mar 2, 2022: Clarified that issues requiring user interaction may be assessed as lower severity.
  • Apr 19, 2023: Added Microsoft Edge’s bespoke PDF viewer, SmartScreen out-of-scope details and signaturing differences between Microsoft Edge’s SmartScreen and other browsers.
  • March 25, 2024: Added Microsoft Edge WebView2 eligibility and out-of-scope details
  • August 6, 2025: Added issues allowing users to break out of kiosk mode to out of scope, updated report quality categories, updated awards, and created High Impact Scenarios table.
  • October 28, 2025: Added reference to the Copilot Bounty Program for vulnerabilities in AI systems.
  • December 11, 2025: Updated hyperlinks and standardized language.