In recent years, as computer security has become more of a concern for everyone, trying to get ahead of the bugs and vulnerabilities that cause hacks and denial of service attacks is a higher and higher priority. Microsoft has been in on this game for a while, but they just recently launched the Xbox Bounty Program, taking what has become a relatively standard “bug bounty” program and bringing it to another video game console. If you find a major bug in an Xbox Live service and report it to them, you could get paid for it.
This comes a few years after console rival Sony, who has a bad reputation for security problems, started a similar program. Nintendo has also had one since December of 2016. With Microsoft joining the club, all the major console manufacturers now have a bug bounty program, so let’s take a look at what they are and how you can take part in it.
Bug bounty programs come from a fundamental problem with trying to make sure computer systems are working properly. As many infamous video game launches have shown us, when you don’t have good enough Quality Assurance working on it, you end up releasing with a significant number of big bugs. While that can make a video game frustrating or nearly unplayable (see the infamous Sonic the Hedgehog game from 2006), that’s still pretty harmless, all things considered.
For the Xbox or Xbox Live service, however, that can be a much bigger issue. There are people with payment methods sitting in that system, or the console can act as a way to get into someone’s home network to launch another attack. This is extremely valuable to someone with malicious intent – credit card information or machines to turn into a botnet sell well – so the bug bounty tries to pay better than malicious hackers for these bugs and exploits. Officially sanctioning a way to report these bugs and vulnerabilities also gives legal protection to people who find them – many bug hunters with good intentions have been prosecuted under the Computer Fraud and Abuse Act for reporting problems they found, so many wouldn’t want to take the risk.
When the company running the service offers money, especially large amounts of money, that changes. The top offering here with the big headline is that Microsoft is willing to pay up to $20,000 for a reported vulnerability. Specifically, for a high-quality report of a Remote Code Execution vulnerability. This is a high bar, as you’d have to find and show proof of concept of a vulnerability that will let you run whatever code you want, for whatever purpose you want, on someone else’s Xbox. Less severe bugs will pay out less, with $1,000 being the lowest amount that they show being offered for bugs of moderate severity.
While these look like big numbers, they’re not as high as a lot of bug bounty programs get. Just looking at the other Microsoft programs shows other areas that will pay even more. A vulnerability in the Microsoft Edge browser will pay up to $30,000, with bugs in Microsoft Identity paying up to $100,000 or a bug in the Microsoft Azure cloud computing system can pay up to $300,000 (though the latter requires you to register as a researcher with them first).
So, if you’re interested, how do you get started? The only thing you actually need is an Xbox network account, preferably one made specifically for testing, not your personal account. They recommend you also have an Xbox 360, Xbox One, Xbox One S, or Xbox One X for testing, though it’s not strictly necessary. You’ll have to provide your own, as Microsoft won’t give you one for testing purposes. After that, it's as simple as reading up on the Bounty details, including terms and conditions.
There are a lot of rules on what you can and can’t do, as well as guidance on how to write up reports if you do find anything. While you don’t need to be an expert to find bugs and flaws to report, you do need some level of knowledge in order to find and report things. If you don’t understand a lot of what’s on that page but still are interested, there are plenty of resources to help even the most novice users become bug hunting white-hat hackers.