Gamers, security researchers, and technologists have been invited to identify security vulnerabilities in Xbox network and services and report them to Microsoft. Bounty rewards will range from $500 to $20,000 USD.
Microsoft runs a number of bug bounty programs and has now decided that their Xbox offerings need extra attention from security researchers.
“The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers,” said Chloé Brown, Program Manager, Program Manager at the Microsoft Security Response Center.
“Public bounty programs are a valuable approach which combine with ongoing internal testing, private programs and knowledge shared by partners to produce a secure ecosystem to play in.”
The Xbox bug bounty program at a glance
Microsoft is looking for reports on a wide variety of bugs: from cross site scripting (XSS) and cross site request forgery (CSRF) to injection vulnerabilities, server-side code execution flaws and weaknesses arising from significant security misconfiguration.
The reward amounts depend on the quality of the report and on what these vulnerabilities may allow attackers to do:
As you can see, Microsoft is not interested in bugs that could cause Denial of Service, and they also explicitly warned participants not to undertake any kind of DoS testing.
They also prohibit performing automated testing of services, attempts to gain access to any user data, and social engineering attacks against Microsoft employees or Xbox customers.
To be eligible for a bounty, discovered bugs must exist in the latest, fully patched version of Xbox Live network and services and reports must include “clear, concise, and reproducible steps, either in writing or in video format.”
Out of scope vulnerabilities include flaws in Microsoft game studios, Mixer, GamePass, xCloud, Xbox.com, other Microsoft products, and more.