Xbox One bounty hunters who find holes in Xbox Live security and point them out to Microsoft can claim rewards of $500 to $20,000.
Microsoft put out the call to find vulnerabilities yesterday with the kickoff of its Xbox Bounty Program. It includes a schedule of a award payments, with tampering-related vulnerabilities worth $1,000 to $5,000, and the ability to execute remote code paying between $5,000 and $20,000. Denial of service vulnerabilities are listed as out of scope and dont pay anything.
Eligible vulnerabilities must be on the latest, fully patched version of the Xbox Live operating system, be reproducible on that system, and include clear concise, and reproducible steps, whether in writing or on video.
Obviously, Microsoft is notsaying these vulnerabilities exist within Xbox Live. But if they do, theyd rather pay four or five figures to a person who knows how to use them rather than millions later for an outage, personal information breach, or other major attack. Xbox Live, over its 17-year-history, has suffered denial-of-service attacks but never a major hack like the one that brought PlayStation Network down for 23 days in the spring of 2011.
Microsoft has had a bounty program for its Windows operating system since 2017, but is the last console maker to offer this kind of reward to shore up its online service. Kotaku noted that Nintendo has had a bug bounty program since 2016, offering rewards of up to $20,000. Sony, on the other hand, gives its white hats a t-shirt.