$20,000 up for grabs in Xbox Live security hole hunt

$20,000 up for grabs in Xbox Live security hole hunt

Microsoft is inviting gamers, security researchers, and technologists to pit their wits against the Xbox network in the search for security vulnerabilities.

With a newly-announced bug bounty, Microsoft is inviting bug hunters to responsibly disclose bugs and flaws that could potentially be exploited by criminals.

The company’s hope is clearly that by strengthening the Xbox Live network it will improve the experience for the more than 60 million gamers on the platform, and reduce downtime.

In order to be in the running to receive cash rewards from $500 to $20,000 for a successful proof-of-concept of remote code execution, bug hunters will need to identify a previously unreported vulnerability in the latest, fully-patched version of Xbox Live network and services. Furthermore, they are recommended to provide, “clear, concise, and reproducible steps, either in writing or in video format.”

Xbox Live vulnerabilities that Microsoft considers eligible for the bug bounty program include:

  • Cross site scripting (XSS)
  • Cross site request forgery (CSRF)
  • Insecure direct object references
  • Insecure deserialization
  • Injection vulnerabilities
  • Server-side code execution
  • Significant security misconfiguration (when not caused by user)
  • Using a component with known vulnerabilities (when demonstrated with a working proof of concept)

However, Microsoft specifically states that although denial-of-service attacks can be serious it is not including them in the Xbox Bug Bounty criteria. Furthermore, it explicitly declares that the program prohibits any kind of denial-of-service testing or any automated testing that generates significant amounts of traffic.

Clearly the last thing the company wants is for any vulnerability testers to cause more problems for their legions of gamer fans than they may already be experiencing.

In a similar vein, Microsoft says it is prohibited to launch any phishing or social engineering attacks against its customers or staff.

Vulnerabilities that Microsoft determines to be of “moderate” or “low” severity do not presently qualify for cash rewards, but may still be eligible for public acknowledgment if they result in a fix being issued.

Oh, and in case you were wondering, no Microsoft isn’t offering to send you a free Xbox to help with your testing.

For full details of the bug bounty’s rules, and how to submit a report to its security team, read Microsoft’s guidelines for the Xbox Bug Bounty Program.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.