It is customary for world-renowned companies to launch attractive Bug Bounty programs . These consist of rewarding all the people who manage to discover vulnerabilities that have a high impact on their products or services. In most cases, prizes consist of high amounts of money, making them much more attractive and challenging.
On this occasion, Xbox is the objective of this program that seeks both enthusiasts and security professionals as players, are encouraged to participate. These should report vulnerabilities found in the latest version of Xbox Live , it applies to both services and the network in general.
Prizes range from $ 500 to $ 20,000 . One of the most important conditions that will allow you to qualify for the prize is that your contribution consists of remote code execution, spoofing and other activities that impact Xbox Live security. This must be duly reported in a clear, concrete and complete documentation, also adding the corresponding PoC (Proof-of-Concept) or proof of concept to exploit this vulnerability.
There is a possibility that the amount of the prizes will be greater according to the quality and the demonstrated impact of the reports and evidence received. This criterion will be the sole responsibility of Microsoft. Also, the choice of the winners of this program.
What conditions are taken into account for the vulnerability report?
Said report or test, according to what you choose, must show vulnerabilities not previously reported. These should not have been reported on behalf of the latest version of Xbox Live, or in the network or service environment. The steps to reproduce vulnerabilities should be clear, concise and, of course, possible to reproduce. The best alternative would be that you can document it by making video, since it is easier to understand the evidence. In addition, the fact that it is in video format favors its quick review and you can qualify for the top prizes.
These are some of the vulnerabilities that are included within for this rewards program:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Unsafe references to direct objects
- Insecure deserialization
- Vulnerability Injection
On the other hand, these are some of the vulnerabilities that are not within the scope of the program:
- Server-side information disclosure
- Low impact CSRF type bugs, such as logoff
- DoS problems
- Problems related to fraud
For your consideration, remote code execution is the most critical in terms of severity and is included in the highest award range: from 5,000 (if reported as important) to the maximum of $ 20,000 (if It’s critic).
Are you interested in participating? You must visit the official portal of the program. Accessing it, you will have the detail of all the vulnerabilities that are within the program, those that are not, all the general conditions to participate and the necessary help so you can send your video or report.
Without a doubt, this is a great opportunity to participate in the rewards programs. It is not necessary to go directly to the jackpot once. Even not being able to earn cash and being recognized by Microsoft (there is that possibility), it is already a great step forward. Remember, with persistence, you can earn a lot of money with the Bug Bounties.