- Home page
- You find a flaw in Xbox Live? You can win up to $20,000
It is at the end of the year that Microsoft will release its new home console, the Xbox Series X. As for the previous generations, it will of course be able to connect to the Internet to offer online gaming, for those who want to rub shoulders with other opponents, thanks to its dedicated service, the Xbox Live. But when you say remote access, you say computer security.
That’s why Microsoft has decided to launch a bug hunting program dedicated to Xbox Live. It’s about time: Xbox Live has been around since 2002 and has been the gateway for millions of gamers for just under twenty years – the service has been used for the very first Xbox, as well as its heirs: the Xbox 360 and Xbox One, including its variants, such as the S and X.
Until now, Microsoft has relied solely on its own strengths to secure Xbox Live. This program is intended to complement the group’s investment in public safety by allowing third party stakeholders to contribute and find angles of attack that the Redmond firm’s internal teams would not have seen. This is now a common approach.
Xbox Live has been available since 2002, but it was not until 2020 that Microsoft launched its bug hunting program.
With this program, the details of which are specified in a dedicated page, a third party can be rewarded up to $20,000 for each breach reported to Microsoft teams. This amount is paid if the vulnerability is critical and allows malicious code to be executed remotely. The lowest reward in the table is $1,000 for data corruption.
Other events of interest to Microsoft include privilege escalation (which allows an attacker to obtain additional rights and thus access settings and parts of the attacked system that are normally out of reach), circumvention of security devices, information leakage and identity theft over the network.
It should be noted that Microsoft’s bug hunt is only interested in breaches that are deemed serious or critical. No gain is to be expected if the report is finally qualified as moderate or low bug. Microsoft also excludes distributed denial of service attacks, i.e. attacks that aim to overwhelm the service with requests, which have hit Xox Live hard in the past,
On the program page, Microsoft further details the type of threats it is interested in and the list of perils that are not eligible, such as subdomain takeovers or forced URL redirections. In order to achieve a gain, the transmission of the bug must follow a very precise protocol, with a clear and concise proof of concept.