• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Practical advice for earning higher Microsoft bounty awards


Brink

Administrator
Administrator
mvp
Posts
23,444
#1
This year at the Nullcon International Security Conference I shared practical advice for how security researchers can maximize the impact of their security vulnerability submissions and earn higher bounty awards under the Microsoft Bounty Program. For those who couldn’t be there, I had two core pieces of advice.
  • First, focus vulnerability research on the products and services that are eligible for bounty rewards. The eligible scope is published on our website. We expand our programs throughout the year, so check back regularly for new potential areas to research and follow us on Twitter for announcements of new bounty programs.
  • Second, when reporting security vulnerabilities, provide clear, concise information to help our engineering teams reproduce the vulnerability for themselves. Detailed and well written instructions, or even short videos can more than double the possible award amount for bounty eligible properties.
In addition to talking about vulnerability hunting in Microsoft’s bounty programs, we also want to help security researchers develop their skills. This year we sponsored more than 20 researchers to attend the conference, which included hands on training and workshops on hardware and software security. With almost 2000 attendees from across India, Nullcon was a great place to connect with the security researcher community across the region and see excellent technical talks from James Forshaw, Jaya Baloo, and others. Thanks to Antriksh Shah and the team at Payatu for bringing everyone together for such a great event.

Thank you to everyone who I met at Nullcon and to those who attended my talk. For more details and some real-world examples of high quality and high reward submissions, check out my presentation slides here.

Happy Hacking!
Jarek Stanley, @JarekMSFT
Senior Program Manager
MSRC

Source: Practical advice for earning higher Microsoft bounty awards MSRC
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    250GB Samsung 960 EVO M.2,
    256GB OCZ Vector,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB8200 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone