PROGRAM DESCRIPTION:

The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

The goal of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Microsoft’s customers. Vulnerability submissions must meet the following criteria to be eligible for bounty award:

• Identify a previously unreported vulnerability that reproduces in our latest, fully patched version of Xbox Live network and services at the time of submission.

• Include clear, concise, and reproducible steps, either in writing or in video format.

  • This allows submissions to be reviewed as quickly as possible and supports the highest bounty awards.

GETTING STARTED

Sign up for an Xbox network account. We recommend creating one or more test accounts to conduct security vulnerability research.

• Access to a Xbox 360, Xbox One, Xbox One S or Xbox One X is not required for testing but may be useful. Please note, consoles will not be provided for testing purposes.

• Access to a Xbox Gold, Project xCloud, Xbox Game Pass, Xbox Game Pass for PC or Xbox Game Pass Ultimate account is not required for testing but may be useful. Please note, paid accounts will not be provided for testing purposes.

Follow Xbox on Twitter, Xbox community site and forums and see what’s upcoming on Xbox Insider to learn about the latest features and releases.

HOW ARE AWARD AMOUNTS SET?

Bounty awards range from $500 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.

| Security Impact | Report Quality | Severity | | | |

| - | - | - | - | - | - |

| | | Critical | Important | Moderate | Low |

| Remote Code Execution | High Medium Low | $20,000 $15,000 $10,000 | $15,000 $10,000 $5,000 | N/A | N/A |

| Elevation of Privilege | High Medium Low | $ 8,000 $ 4,000 $ 3,000 | $5,000 $2,000 $1,000 | $0 | N/A |

| Security Feature Bypass | High Medium Low | N/A | $5,000 $2,000 $1,000 | $0 | N/A |

| Information Disclosure | High Medium Low | N/A | $5,000 $2,000 $1,000 | $0 | $0 |

| Spoofing | High Medium Low | N/A | $3,000 $2,000 $500 | $0 | $0 |

| Tampering | High Medium Low | N/A | $3,000 $2,000 $500 | $0 | $0 |

| Denial of Service | High/Low | | Out of Scope | | |

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.  

We recognize that some issues are extremely difficult to reproduce and understand; this will be considered when reviewing the quality of each submission. 

IN-SCOPE VULNERABILITIES

The following are examples of vulnerabilities that may lead to one or more of the above security impacts:

• Cross site scripting (XSS)

• Cross site request forgery (CSRF)

• Insecure direct object references

• Insecure deserialization

• Injection vulnerabilities

• Server-side code execution

• Significant security misconfiguration (when not caused by user)

• Demonstrable exploits in third party components

  • Requires full proof of concept (PoC) of exploitability.  For example, simply identifying and out of date library would not qualify for an award

WHAT ARE THE RULES GOVERNING THE TESTING OF BOUNTY-ELIGIBLE MICROSOFT ONLINE SERVICES?

The scope of this program is limited to technical vulnerabilities in the Xbox network.

• By participating in the Program, you agree to follow our Bounty terms and conditions.

The following activities are prohibited under the Xbox Bounty Program:

• Any kind of Denial of Service testing.

• Performing automated testing of services that generates significant amounts of traffic.

• Gaining access to any data that is not wholly your own. For example, you are allowed and encouraged to create a small number of test accounts for the purpose of demonstrating and proving cross-account access. However, it is prohibited to use one of these accounts to access the data of a legitimate customer or account.

• Moving beyond minimally necessary “proof of concept” repro steps for server-side execution issues

• Attempting phishing or other social engineering attacks against our employees or Xbox customers.

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.

OUT OF SCOPE VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:

• Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community

• Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of August 2021, for example, these include, without limitation

  • Vulnerabilities that rely on Akamai ARL misconfiguration

• Out of Scope vulnerability types, including:

  • Server-side information disclosure such as IPs, server names and most stack traces

  • Low impact CSRF bugs (such as logoff)

  • Denial of Service issues

  • Issues relating to Fraud

  • Sub-Domain Takeovers

  • Cookie replay vulnerabilities

  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)

• Vulnerabilities based on user configuration or action, for example:

  • Vulnerabilities requiring extensive or unlikely user actions

  • Vulnerabilities in user-created content or applications.

• Vulnerabilities based on third parties, for example:

  • Vulnerabilities in third party software identified without proof of concept

• Vulnerabilities in other Microsoft Products:

  • These submissions may be eligible for a bounty through another program; please see the full list of Bounty Programs for other qualifying Microsoft products and services.

• Vulnerabilities in Mixer, GamePass, xCloud, Xbox.com

• Vulnerabilities in third-party sites which are not owned by Microsoft and sites that pertain to marketing efforts

  • Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program.

• Vulnerabilities in Microsoft game studios, including but not limited to:

  • compulsiongames.com

  • doublefine.com

  • inxile.net

  • ninjatheory.com

  • obsidian.net

  • playground-games.com

  • undeadlabs.com

Microsoft reserves the right to reject any submission that we determine, in our sole discretion, falls into any of these or other categories of vulnerabilities even if otherwise eligible for a bounty.

HOW DO I PROVIDE MY SUBMISSION?

Send your complete submission to Microsoft using the MSRC Submission portal, following the recommend format in our submission guidelines. We request you follow Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.

BOUNTY AWARDS

Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope.

• There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive.

• If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first complete and reproducible submission. 

• If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.  

• If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program. 

• Even if it is not covered under an existing bounty program, we publicly acknowledge critically important contributions when the vulnerability is fixed.

• All valid vulnerability submissions are counted in our Researcher Recognition Program and leaderboard, even if they do not qualify for bounty award. 

BOUNTY TERMS AND CONDITIONS

For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty Terms, Safe Harbor policy, and our FAQ. 

Have questions? We're always available at secure@microsoft.com.

Thank you for participating in the Microsoft Bug Bounty Program!

REVISION HISTORY

• January 30, 2020: Launched Xbox Bounty

• August 26, 2021: Added to out of scope - vulnerabilities that rely on Akamai ARL misconfiguration.