And That is by identifying security vulnerabilities in the Xbox Live network
You heard that right, Xbox lets you grab money if you identified any vulnerabilities in their network and other things. But it isn’t that easy, so here is the description exactly to know what to do and to get the full information on this program.
PROGRAM DESCRIPTION:
The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.
Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
The goal of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Microsoft’s customers. Vulnerability submissions must meet the following criteria to be eligible for bounty award:
- Identify a previously unreported vulnerability that reproduces in our latest, fully patched version of Xbox Live network and services at the time of submission.
- Include clear, concise, and reproducible steps, either in writing or in video format.
- This allows submissions to be reviewed as quickly as possible and supports the highest bounty awards.
That’s great but what about the type of Vulnerabilities?
IN-SCOPE VULNERABILITIES
The following are examples of vulnerabilities that may lead to one or more of the above security impacts:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Demonstrable exploits in third party components
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying and out of date library would not qualify for an award
OUT OF SCOPE VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
- Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Out of Scope vulnerability types, including:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Issues relating to Fraud
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Vulnerabilities based on user configuration or action, for example:
- 1-Vulnerabilities requiring extensive or unlikely user actions
- 2-Vulnerabilities in user-created content or applications.
- Vulnerabilities based on third parties, for example:
- 3-Vulnerabilities in third party software identified without proof of concept
- Vulnerabilities in other Microsoft Products:
- Vulnerabilities in Mixer, GamePass, xCloud, Xbox.com
- Vulnerabilities in third-party sites which are not owned by Microsoft and sites that pertain to marketing efforts
- Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program.
- Vulnerabilities in Microsoft game studios, including but not limited to:
- compulsiongames.com
- doublefine.com
- inxile.net
- ninjatheory.com
- obsidian.net
- playground-games.com
- undeadlabs.com
Head to the link provided here to know more about how to get started, how to provide the submission and the bounty awards.
