Microsoft is making the bug bounty for its Edge browser a permanent program, a significant change to the way the company incentivizes researchers to find vulnerabilities in the application.
It’s been a little less than a year since Microsoft launched the bounty as a temporary offering with the Windows 10 Insider Preview. The idea was to spur researchers to dig into the Edge code and find bugs before the browser was released in its final form. The company said it received a number of qualifying vulnerability reports in the 10 months since the program began, and so it is now extending it indefinitely.
“As security is a continuous effort and not a destination, we prioritize identifying different types of vulnerabilities in different points of time. On August 4, 2016, we launched the Edge Web Platform bounty on WIP to incentivize researchers to send us remote code execution (RCE), same origin policy bypass vulnerabilities (example: UXSS), and referrer spoofing vulnerabilities in our latest browser. Microsoft is committed to delivering secure products to our customers and this bounty program helped us achieve that goal,” Akila Srinivasan of the Microsoft Security Response Center said in a post.
The Edge bug bounty pays out a variety of rewards, from $500 up to $15,000, and Microsoft even pays researchers who report vulnerabilities that already were discovered internally.
Microsoft was somewhat of a latecomer to the bug bounty idea. Company officials were resistant to paying researchers for reporting vulnerabilities for a long time, mostly because the majority of vulnerabilities Microsoft patched were reported to the company for free. As that began to change, people inside the company started to push for some kind of reward program. In 2013 Microsoft launched its first bounty, led by Katie Moussouris, but even that wasn’t the traditional bug bounty.
Rather than just offering rewards for vulnerability reports, Microsoft offered researchers up to $100,000 for new exploitation techniques. The company also had a separate reward for vulnerabilities in the preview version of IE 11. Microsoft eventually expanded that to other bounties and now is making its browser reward program permanent.