This week, Microsoft introduced an exciting initiative to help identify bugs within the Xbox Live network. Gamers and researchers can earn between $500 to $20,000 if they successfully report vulnerabilities in the system.
A lot to cover
Microsoft shares that the bounties will be awarded at the discretion of the company. They will be based on the quality, severity, and impact of the submission.
Examples of vulnerabilities that can lead to rewards if found include:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Demonstrable exploits in third party components. (Requires full proof of concept (PoC) of exploitability)
The tech giant states that there are no restrictions on the number of qualified submissions an individual can make. However, if it received multiple reports for the same bug from different people, it will award the bounty to the first complete submission.
Reports have to be submitted to the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD).
Chloé Brown, program manager at the Microsoft Security Response Center, spoke about how her company seeks to deliver a gaming service that is secure for its users.
“Since launching in 2002, the Xbox Network has enabled millions of users to share their common love of gaming on a safe and secure service,” she shared on Microsoft’s website.
“The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers.”
Brown went on to state that a bounty program is an effective way to produce a secure ecosystem to play in. These projects combine well with internal tests, private programs, and knowledge shared by the firm’s partners.
This process is similar to the way other corporations such as Amazon try to reduce vulnerabilities. A few months ago, the Jeff Bezos-owned company offered two researchers $60,000 after they hacked into an Amazon Echo.
With a lot of money at stake, people will be more inclined to help companies with their targets. Initiatives such as these can help protect a wider-range of issues even after a company does the best it can to reduce them.
With Microsoft looking to regain a better presence within the gaming industry this decade, it will want to ensure that its security is full proof.
Do you think Microsoft’s approach to tackling bugs will be effective? Let us know your thoughts in the comment section.