With the official release of the Chromium-based Edge Beta channel version, Microsoft also launched a new BUG reward program for the Edge browser. With the Microsoft Edge Insider Bounty Reward Program, security experts can submit security vulnerabilities in the Edge Dev or Beta channel versions for up to $30,000.
Microsoft said that this reward program can be considered as a supplement to the Google Chrome Vulnerability Reward Program, and any vulnerability affecting the latest version of Microsoft Edge, not Chrome, is eligible. Microsoft said it is looking for researchers to find and disclose any high-impact vulnerabilities they found in Chromium-based Microsoft Edge.
Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a previously unreported vulnerability that is unique to Microsoft Edge based on Chromium, in the Beta or Dev channels, and which does not reproduce on the equivalent channel of Google Chrome.
- Vulnerabilities must be reproducible on the latest version of Microsoft Edge at the time of submission running on the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS at the time of submission.
- Include the version number of Microsoft Edge used to reproduce the vulnerability (e.g. Version 220.127.116.11 (Official build) dev (64-bit), and the version number of Chrome used to verify that it does not reproduce on Chrome. Eligible version numbers of the next version of Microsoft Edge will begin with at least 77 or higher.
- Demonstrable exploits in third party components that repro in Microsoft Edge but not in Chrome are also eligible for consideration under this bounty program. Testing in Windows Insider Preview is not required.
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying and out of date library would not qualify for an award.
- Include concise reproducibility steps that are easily understood, either in writing or in video format
- This allows submissions to be processed as quickly as possible and supports the highest bounty awards.
- Must provide Proof of Concept (PoC) with submission.