Skip to main content

Microsoft launches Xbox bug bounty program with rewards of $20,000 or more

Microsoft launches Xbox bug bounty program with rewards of $20,000 or more


Anyone can now report security issues with Xbox Live

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Photo by James Bareham / The Verge

Microsoft is launching a new Xbox Bounty Program to reward gamers, security researchers, and anyone else who discovers security vulnerabilities in the Xbox Live network and services. Bounty rewards will range from $500 up to $20,000, and Microsoft notes there could even be higher payouts depending on the quality of the report and the vulnerability impact.

The biggest payouts will be handed out for critical remote code execution and elevation of privilege flaws, while security feature bypasses, information disclosure, spoofing, and tampering will all include rewards up to $5,000. As Microsoft is opening this up to gamers and anyone who has the skills to find flaws, it’s expecting high-quality reports with a detailed write-up or video demonstration, and a clear proof of concept. Microsoft isn’t looking for people to perform DDoS testing, social engineering attacks, or going too far on server-side execution issues.

Microsoft has run bug bounty programs for a number of its products over the years, including payouts of up to $250,000 for Windows 10 security bugs. This new Xbox Bounty Program comes just as Microsoft prepares to launch its Xbox Series X console and xCloud game streaming service. Both will operate on the Xbox Live network. Sony and Nintendo also accept security bug reports, with Nintendo rewarding up to $20,000 and Sony only providing a t-shirt as recognition.