Microsoft is offering up to $15,000 for reports and exploits of the still-under-construction browser that’s scheduled to ship with Windows 10.
Microsoft has kicked-off a two-month bug hunt program for vulnerabilities in Project Spartan, the company’s new browser slated to release with Windows 10 later this year. The reward? A bounty that can pay up to $15,000.
“Microsoft’s new browser will be the on ramp to the Internet for millions of users when Windows 10 launches later this year,” wrote Jason Shirk on the Microsoft Security Response Center blog. “Securing this platform is a top priority for the browser team.”
Project Spartan and how it came to exist
Microsoft knows that Internet Explorer’s best days are behind it. Due to this, the company took the unprecedented step of scrapping its long-term product in favor of a completely new browser. Code-named “Project Spartan,” the browser launches with Windows 10.
It’s a huge departure from IE and much like the company skipping Windows 9 and moving right to 10, the dropping of the Internet Explorer name is very intentional. “It is fast, compatible, and built for the modern Web.” wrote Microsoft’s Operating Systems Vice President Joe Belfiore in a blog post. “Project Spartan is designed to work the way you do, with features enabling you to do cool things like write or type on a webpage. It’s a browser that is made for easy sharing, reading, discovery and getting things done online.”
The Project Spartan bounty
Microsoft said the Project Spartan will pay up to $15,000 bounty for remote code execution and sandbox escape vulnerabilities, as well as design-level bugs. The bounty expires June 22 and payouts will be dependent on the severity of the issue and how reproducible it is, Microsoft added.
“The program is intended to incentivise security researchers to report vulnerabilities to Microsoft during the Technical Preview period rather than after general use to minimize customer impact,” Microsoft explained elsewhere.
Microsoft’s bounty of up to $15,000 for a vulnerability report or exploit is a 36% increase over the previous $11,000 maximum Internet Explorer 11 bounty. Top awards will be given to what Microsoft considers ‘high-quality’ reports, with smaller rewards ranging from $500 to $6000 for less serious flaws. In special cases, Microsoft also added that it reserves the right to pay more than the top-tier $15,000.
The company will accept bug reports starting the 22nd of April, up to June 22, a two-month period that will be twice the length of the IE11 bounty program.
Microsoft hasn’t officially titled the browser beyond ‘Spartan’ yet. It is expected to do so next week, at its Build Developers Conference. Spartan and Windows 10 is expected to launch this summer, perhaps even as early as late July