Every network or service in the world has some bugs or vulnerabilities in them. Every company tries to launch some programs through which they can find and clear those vulnerabilities. Microsoft has also launched one such program named XBOX Bug Bounty Program.
Microsoft invites the security researchers, gamers, and other people throughout the world for helping the company find the vulnerabilities in their service and Xbox network. When they find any bug in the service, they need to report them to the Xbox team. So that they can work on it. The submissions which are declared qualified can get rewards amounting between USD 500 to 20000. Vulnerabilities included for bounty are Cross-site scripting (XSS), Cross site request forgery (CSRF), Insecure direct object references, Insecure deserialization, Injection vulnerabilities, Server-side code execution, high-security misconfiguration, and third party components exploits.
According to the Microsoft Bounty Terms and Conditions, the rewards provided to the submissions will be based on the quality of it and the impact or severity of the vulnerability found. It is up to Microsoft’s discretion to decide these rewards based on terms and conditions.
Eligible Submission
The main objective of this plan is to identify and eliminate all the vulnerabilities. Which are currently there in the Xbox network and service. And it can have any kind of impact on the users in order to make their privacy even safer.
There is a certain criterion which the participants have to fulfill in order to be eligible for rewards:
The participants have to be concise, and clear while providing the steps. It can be either in writing or in the form of a video. This makes it easier for the team to review the bug or vulnerability in the fastest time possible. It can have a significant impact on the provided bounty awards.
The submission should be unreported in the past and should currently be there in the completely patched version of Xbox Live services and network.
How to Get Started?
The participants should be signed up with the Xbox network account. The company recommends that a person can make as many accounts required for a proper vulnerability and bug research for Xbox Bug Bounty.
The company will not provide any console or paid accounts for the purpose of testing. It is not mandatory to have Xbox One, Xbox One X, Xbox 360, and Xbox One S. But they can be useful for testing and research purposes and help you get higher rewards.
Xbox Game Pass, Xbox Game Pass Ultimate, Xbox Gold, Xbox Game Pass for PC, and Project xCloud are also not necessary for a participant to have but they may also help in finding vulnerabilities easily and get great rewards.
To know about the latest releases and features, the participants can follow Xbox on forums, twitter, insider, and the community site as well.
Prohibited Activities
- The researchers are not allowed to generate traffic by performing automated testing of the services.
- It is also not allowed to perform any social engineering attacks such as phishing on the Xbox customers or users and the employees of Microsoft.
- They cannot take the access to someone else’s information without their prior permission to do so.
- The Denial of Service is also prohibited for the participants to perform it on the Xbox network and services.
How can you submit vulnerability?
The MSRC submission portal can be used by the participants for submitting their researches for Xbox Bug Bounty. Every person who is submitting their research report to Microsoft has to follow a mandatory format that they can get on the FAQ Report. Not following the format can lead to the rejection of the submission. While reporting or submitting any vulnerability, everyone has to follow the Coordinated Vulnerability Disclosure. Microsoft will also make reasonable efforts for the incomplete submissions in order to clarify them.
Summary
Xbox Bug Bounty Program is the latest campaign launched by Microsoft which provides rewards to people who help the company find vulnerabilities by submitting them with proper research in the services and network of Xbox. Microsoft already has various bounty programs for many products and services like Cloud, Platform, Defense and Grant. Other gaming-console providers Sony and Nintendo also provide bug bounty programs to find the vulnerabilities in Play Station and Nintendo-Switch.
