Microsoft Windows Defender Application Guard Bounty Program
PROGRAM DESCRIPTION
Microsoft is pleased to announce the launch of the Windows Defender Application Guard (WDAG) bounty program beginning July 26, 2017. Through this program, individuals across the globe have the opportunity to submit vulnerabilities in WDAG found in latest Windows 10 Insider Preview slow ring. Windows 10 Insider preview updates are delivered to testers in different rings. For this bounty program, we request you submit bugs on the Windows Insider Preview slow ring. Check out https://insider.windows.com/ and https://insider.windows.com/Home/GetStarted for more information.
Qualified submissions are eligible for payment from a minimum of $500 USD to $30,000 USD.
Bounties will be paid out at Microsoft’s discretion. Microsoft may pay more depending on the entry quality and complexity.
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:
- Identify an original and previously unreported vulnerability in eligible versions of WDAG
- WDAG on Windows 10 (latest builds of Windows Insider Preview slow)
- Vulnerabilities affecting Hyper-V will qualify for the Microsoft Hyper-V bounty program
- The vulnerability must reproduce on the recent WIP slow builds to qualify for a bounty
- If a submission reproduces in a previous WIP Slow build, but not the current WIP Slow at the time of your submission, then the submission is ineligible
- Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the WIP slow build number on which the vulnerability reproduces
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission based on the criteria mentioned above
- If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission
- The first external report received on an internally known issue will receive a maximum of 10% of the maximum payout (e.g. $3,000 for a WDAG RCE instead of $30,000)
- A high-quality report requires a proof of concept, detailed write up and/or a whitepaper
- If you want to submit a vulnerability for the Hyper-V containers, you will be eligible for it under the Microsoft Hyper-V bounty program
WDAG Container
WDAG runs within a Hyper-V container which is isolated from the host operating system.
This bounty program is concerned with bugs in WDAG container and components directly affecting the container’s security including escapes from the WDAG container to the host operating system. This bounty is, as noted above, separate from the Microsoft Hyper-V bounty program.
Remote Code Execution
An eligible submission includes a RCE vulnerability in WDAG that enables a guest in the WDAG container to compromise the hypervisor, escape from to the host, or escape from one WDAG container to another WDAG container.
Vulnerability Type | Proof of concept | Functioning Exploit | Report Quality | Potential Payout range (USD) |
---|---|---|---|---|
Vulnerability resulting in escape from the WDAG container to the host |
Required
|
Yes
|
High
|
$30,000
|
No
|
High
|
$20,000
|
||
No
|
Low
|
$10,000
|
||
Vulnerability within the Application Guard container, no container escape |
Required
|
No
|
High
|
$10,000
|
No
|
Low
|
$2,000
|
RELEVANT INFORMATION
- https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-Application-Guard-Update-Persistence/m-p/82505
- https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-Application-Guard-Standalone-mode/m-p/66903
- https://azure.microsoft.com/en-us/blog/containers-docker-windows-and-trends/
- Here is the Black Hat presentation on WDAG
WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?
The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:
- Vulnerabilities in anything earlier than the current Windows Insider slow build
- Vulnerabilities in user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities found by disabling existing security features
- Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion
We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty
LEGAL NOTICE
To get additional information on the Microsoft legal guidelines please go here.