Microsoft recently announced the launch of its Xbox Bug Bounty program. As per the program, Microsoft will pay rewards from $1000 to $20,000 for finding security vulnerabilities in the Xbox network and services.
The bounty hunter can be a gamer, security researcher, or a technologist. Although, you won’t be provided with a console or a paid account for finding bugs in Xbox live. You definitely can’t trick Microsoft to give you anything for free.
All the eligible submissions must include clear and concise proof of concept(POC). This further means that the researcher must submit clear, concise, and reproducible steps to make it easier for the Xbox team to review the submission quickly.
After finding the vulnerability, you have to submit it to Microsoft through Coordinated Vulnerability Disclosure (CVD).
The CVD states that the researcher discloses the vulnerability privately to the vendor. It allows the vendor to diagnose the issue and work closely with the researcher to resolve it.
The Xbox team will reward you based on report quality, and the level of impact the reported vulnerability has. You can refer to the table below for better insight.
There are specific rules that you have to follow if you don’t want to be kicked out of the Xbox Bug Bounty program. For instance, you can create multiple accounts for testing the Xbox Network and Services. However, you can’t use those accounts to access data of any customer. Also, phishing and social engineering attacks can get you a red card instantly.