Security holes that leave the Xbox Live network vulnerable to spoofing attacks can earn researchers up to $5,000, for instance. Remote code execution exploits pay the most — from $10,000 to $20,000 — so long as they’re previously unreported vulnerabilities found in the latest version of Xbox Live.
Those who want to send in a submission will have to include reproducible steps to be able to claim a reward. And while the program covers quite a few different types of vulnerabilities, some things are out of scope, such as DDoS issues and URL Redirects.
The Xbox Live program is but one of the bug bounty programs Microsoft is running for its products and services. Some of them have a reward cap of $15,000, but the biggest program overall promises up to $300,000 for the most severe vulnerabilities found in the company’s Azure cloud computing services.