Microsoft put out the call to find vulnerabilities yesterday with the kickoff of its Xbox Bounty Program. It includes a schedule of a award payments, with tampering-related vulnerabilities worth $1,000 to $5,000, and the ability to execute remote code paying between $5,000 and $20,000. Denial of service vulnerabilities are listed as “out of scope” and don’t pay anything.
Eligible vulnerabilities must be on the latest, fully patched version of the Xbox Live operating system, be reproducible on that system, and include “clear concise, and reproducible steps,” whether in writing or on video.
Obviously, Microsoft is not saying these vulnerabilities exist within Xbox Live. But if they do, they’d rather pay four or five figures to a person who knows how to use them rather than millions later for an outage, personal information breach, or other major attack. Xbox Live, over its 17-year-history, has suffered denial-of-service attacks but never a major hack like the one that brought PlayStation Network down for 23 days in the spring of 2011.
Microsoft has had a bounty program for its Windows operating system since 2017, but is the last console maker to offer this kind of reward to shore up its online service. Kotaku noted that Nintendo has had a “bug bounty program” since 2016, offering rewards of up to $20,000. Sony, on the other hand, gives its white hats a t-shirt.
Editor’s note: We were unaware that Alan Harris, who played the Trandoshan Bounty Hunter Bossk in The Empire Strikes Back, died on Friday. This article originally used a framegrab of Bossk from the film to illustrate the bounty hunting theme of the program. We’ve switched the image out to avoid any impression we were being disrespectful; none was intended.