Microsoft launches Xbox bug bounty program with rewards of $20,000 or more

Theorry · Jan 31, 2020

Microsoft is launching a new Xbox Bounty Program to reward gamers, security researchers, and anyone else who discovers security vulnerabilities in the Xbox Live network and services. Bounty rewards will range from $500 up to $20,000, and Microsoft notes there could even be higher payouts depending on the quality of the report and the vulnerability impact.

The biggest payouts will be handed out for critical remote code execution and elevation of privilege flaws, while security feature bypasses, information disclosure, spoofing, and tampering will all include rewards up to $5,000. As Microsoft is opening this up to gamers and anyone who has the skills to find flaws, it's expecting high-quality reports with a detailed write-up or video demonstration, and a clear proof of concept. Microsoft isn't looking for people to perform DDoS testing, social engineering attacks, or going too far on server-side execution issues.

Microsoft has run bug bounty programs for a number of its products over the years, including payouts of up to $250,000 for Windows 10 security bugs. This new Xbox Bounty Program comes just as Microsoft prepares to launch its Xbox Series X console and xCloud game streaming service. Both will operate on the Xbox Live network. Sony and Nintendo also accept security bug reports, with Nintendo rewarding up to $20,000 and Sony only providing a t-shirt as recognition.

https://www.theverge.com/2020/1/31/...t=chorus&utm_medium=social&utm_source=twitter

LewieP · Jan 31, 2020

Hamster Plugin · Jan 31, 2020

Sony only providing a t-shirt as recognition.

"I prevented a giant PSN security breach and all I got was this lousy T-shirt"

CalamityPixel · Jan 31, 2020

There's a bug where people kill me in videogames when I definitely killed them first.

Cash upfront please MS

Theorry · Jan 31, 2020

CalamityPixel said:
There's a bug where people kill me in videogames when I definitely killed them first.

Cash upfront please MS

Its called the git good bug

BordyDogue · Jan 31, 2020

Valve has this too but you get a hat in TF2 instead

kuroneko0509 · Jan 31, 2020

for some reason I thought Microsoft already have bounty program for xbox side. also lol sony with t-shirt reward

UraMallas · Jan 31, 2020

lol. Hope Klob got paid for his closure of the API hole.

jelly · Jan 31, 2020

Always wondered how people cheated on Xbox Live from the Halo 2 days, flying warthogs etc. I guess Microsoft knows people are cheating but the holes to allow it are there.

Nanashrew · Jan 31, 2020

Sony only providing a t-shirt as recognition.

A T-shirt?! Seriously? All that trouble of finding a vulnerability in your system and just a T-shirt?!

Hamster Plugin · Jan 31, 2020

jelly said:
Always wondered how people cheated on Xbox Live from the Halo 2 days, flying warthogs etc. I guess Microsoft knows people are cheating but the holes to allow it are there.

Hacked consoles. Original Xbox and Xbox 360 have been hacked to run custom software.

Xbox One is currently not hackable. And although the PS4 is hacked, hackers are stuck on old firmwares that can't connect online and have found no way to upgrade to the latest. That's why you see no cheats on either Xbox One or PS4.

Kyrios · Jan 31, 2020

Yeah a few companies do this and I think it's a pretty good idea just to find the gaps the teams overlook. Just getting a t-shirt is pretty hilarious though lol

Akai · Jan 31, 2020

jelly said:
Always wondered how people cheated on Xbox Live from the Halo 2 days, flying warthogs etc. I guess Microsoft knows people are cheating but the holes to allow it are there.

By modifying/flashing their consoles, which gives you access to file systems and also more importantly lets you run any unassigned code.

Stoopkid · Jan 31, 2020

Just by that last line I knew thiswas a tom Warren article.

demu · Jan 31, 2020

Hamster Plugin said:
"I prevented a giant PSN security breach and all I got was this lousy T-shirt"

lmao

Deleted member 62561 · Jan 31, 2020

Hamster Plugin said:
"I prevented a giant PSN security breach and all I got was this lousy T-shirt"

remember all the stuff sony gave to consumers affect by the hack? you'd get more by sitting back and letting the hack happen then by reporting it to sony.

Komo · Jan 31, 2020

Should probably report some of my Xbox stuff to them lol

christocolus · Jan 31, 2020

Nice.

Piccoro · Jan 31, 2020

with Nintendo rewarding up to $20,000 and Sony only providing a t-shirt as recognition.

Honestly it should be Nintendo to hand out the highest reward, seeing as their consoles are always more prone to piracy.

jelly · Jan 31, 2020

So the console is more secure right as said above so this is mainly for PC connectivity to Xbox Live?

defaltoption · Jan 31, 2020

Hamster Plugin said:
"I prevented a giant PSN security breach and all I got was this lousy T-shirt"

For real getting to that part was hilarious

Falchion · Feb 3, 2020

This is honestly a great program.

Godzilla24 · Feb 3, 2020

"... and Sony only providing a t-shirt as recognition. "

Oh dear. Explains alot the past 10 years.

MasterOfNone · Feb 3, 2020

I always feel like these bounties are really small for the bigger payouts, assuming that 20K is the highest payout possible that would mean that finding a critical bug that could expose your entire console to unpatchable piracy (thinking worst case scenario here) leading to potentially millions of dollars lost (exec thinking) only awards the person who found it 20K?

I'm thinking not a lot of serious hackers with real jobs will spend the excruciating amount of hours finding a big loophole in security for a 20K best case scenario bounty.

bsigg · Feb 3, 2020

MasterOfNone said:
I always feel like these bounties are really small for the bigger payouts, assuming that 20K is the highest payout possible that would mean that finding a critical bug that could expose your entire console to unpatchable piracy (thinking worst case scenario here) leading to potentially millions of dollars lost (exec thinking) only awards the person who found it 20K?

I'm thinking not a lot of serious hackers with real jobs will spend the excruciating amount of hours finding a big loophole in security for a 20K best case scenario bounty.

Honestly the people/teams that will be going after this are the ones that do it professionally. MS paid out $250k to a team that found a Windows 10 critical bug not too long ago.

Sony only offers a t-shirt if you find a bug like this lol

Hamster Plugin · Feb 3, 2020

Sony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a "Finder" t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.

You even need to pay for shipping for the Sony T-shirt!

Cactuar · Feb 3, 2020

Sony only providing a t-shirt as recognition.

To be fair it's 100 percent cotton.

Afrikan · Feb 3, 2020

Hamster Plugin said:
You even need to pay for shipping for the Sony T-shirt!

This is what happens when Sony is in 1st place.

We never learn.

Microsoft launches Xbox bug bounty program with rewards of $20,000 or more

Theorry

LewieP

Hamster Plugin

CalamityPixel

Theorry

BordyDogue

One Winged Slayer

kuroneko0509

UraMallas

jelly

Nanashrew

Hamster Plugin

Kyrios

Akai

Stoopkid

demu

Deleted member 62561

Komo

Info Analyst

christocolus

Piccoro

jelly

defaltoption

Falchion

Godzilla24

MasterOfNone

bsigg

Hamster Plugin

Cactuar

Afrikan