Microsoft offers $20,000 bug bounties for Xbox security flaws

Microsoft extends bug bounty offerings to Xbox games console vulnerabilities

A day after Google claimed it paid $6.5 million in bug bounties in 2019 Microsoft has revealed its own bug bounty programme for the Xbox gaming platform.

Bounties of up to $20,000 will be available under Coordinated Vulnerability Disclosure (CVD) for "submissions with a clear and concise proof of concept", Microsoft announced.

"A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept," Microsoft explained.

The top $20,000 pay-outs will go to researchers who uncover the most serious security flaws, such as remote code execution vulnerabilities, and who provide high-quality reports to Microsoft.

‘Lesser' security flaws, such as elevation of privilege, will attract rewards of between $3,000 and $8,000. Security bypass flaws will offer bounties of up to $5,000.

Tampering, spoofing, and information disclosure vulnerabilities of various severity will attract bounties of between $1,000 and $5,000.

Prohibited, however, is any kind of attempt at denial of service testing or testing that generates a significant amount of traffic on the Xbox Live network, as well as "moving beyond minimally necessary 'proof of concept' repro[duction] steps for server-side execution issues". Likewise, gaining access to other users' data.

Since its introduction in November 2001, the Xbox has generally proved to be secure. But there have been a number of issues including, most notable of all, a WiFi vulnerability attributable to the Marvell Avastar 88W8897 chipset used in the Xbox (as well as the rival Sony Playstation 4).

Other security flaws include a trivially simple authentication bypass uncovered in 2014 by a five-year-old security researcher.

The Xbox has also been at the centre of a privacy controversy when it was revealed that Microsoft contractors had been given recordings of conversations picked up by the device to transcribe.