U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft announces the launch of a bug bounty program for Xbox

Microsoft announced the launch of an Xbox bug bounty program with rewards of up to $20,000 for critical remote code execution flaws. Microsoft is going to launch an Xbox bug bounty program that will pay rewards of up to $20,000 for critical remote code execution vulnerabilities. “The Xbox Bounty Program invites gamers, security researchers, and […]

xbox

Microsoft announced the launch of an Xbox bug bounty program with rewards of up to $20,000 for critical remote code execution flaws.

Microsoft is going to launch an Xbox bug bounty program that will pay rewards of up to $20,000 for critical remote code execution vulnerabilities.

“The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.” reads the program description.

“Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.”

The bug bounty program will pay for vulnerabilities in the Xbox Live network and services. The list of eligible types of vulnerabilities Cross site scripting (XSS), Cross-site request forgery (CSRF), IDOR, insecure, injection, server-side code execution, and significant security misconfiguration (when not caused by user).

The vulnerabilities can lead to remote code execution, elevation of privileges, security bypass, information disclosure, spoofing, or tampering. Denial-of-service (DoS) flaws are out of scope.

Bounty awards range from $500 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.

Security ImpactReport QualitySeverity
CriticalImportantModerateLow
Remote Code ExecutionHighMediumLow$20,000 $15,000 $10,000$15,000 $10,000 $5,000N/AN/A
Elevation of PrivilegeHighMediumLow$8,000
$4,000
$3,000
$5,000 $2,000 $1,000$0N/A
Security Feature BypassHighMediumLowN/A$5,000
$2,000
$1,000
$0N/A
Information DisclosureHighMediumLowN/A$5,000
$2,000
$1,000
$0$0
SpoofingHighMediumLowN/A$5,000 $2,000 $1,000$0$0
TamperingHighMediumLowN/A$5,000
$2,000
$1,000
$0$0
Denial of ServiceHigh/LowOut of Scope

Hackers that report remote code execution flaws can earn between $5,000 and $20,000, while privilege escalation vulnerabilities could be rewarded with payouts between $1,000 and $8,000. The remaining issues will be paid between $1,000 and $5,000.

Microsoft will review every submission on a case-by-case basis, anyway, some common low-severity issues that are out of scope and that typically do not earn bounty rewards are:

  • Server-side information disclosure such as IPs, server names and most stack traces
  • Low impact CSRF bugs (such as logoff)
  • Denial of Service issues
  • Issues relating to Fraud
  • Sub-Domain Takeovers
  • Cookie replay vulnerabilities
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)

“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service. The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers,” reads the announcement published by Microsoft.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Xbox, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]