Microsoft today launched another bug bounty for Edge, the default browser within Windows 10.
The award program is similar to one Microsoft ran from April to June 2015 for the then-named Spartan. Microsoft officially rebranded Spartan as Edge in late April.
Bounties of up to $15,000 will be paid for remote code execution (RCE) vulnerabilities in Edge on the Insider builds. Insider is Microsoft's preview program which issues preliminary code to a large pool of volunteers.
RCE vulnerabilities are considered among the most dangerous, because by definition they let attackers run malicious code on a compromised device.
The latest Edge bounty will run from today through May 15, 2017, considerably longer than 2015's brief two-month stretch for Spartan/Edge.
Although Microsoft long resisted joining vendors that paid security researchers for their discoveries -- believing it was enough to credit those who turned in flaws -- the company rethought its stance and offered its first bounties in mid-2013 during the development of Internet Explorer 11 (IE11). Since then it has run several bounty programs, some of which have had hard stop dates and others that remained open-ended.
Because the new bounties will be paid for bugs identified in an under-construction browser, Microsoft warned researchers that they may end up reporting one that the company's engineers already know about, and are working to fix.
"In the event this occurs, as recognition for the real effort put into finding these vulnerabilities, a payment of up to $1,500 USD will be made to the first external researcher who reports the issue," wrote Jason Shirk, a principal security strategist, in a post to a company blog.
More information about the Edge bounty will be published on Microsoft's website. At the time of writing, however, that page was offline.
This story, "Reward: $15K for nastiest Edge browser bugs" was originally published by Computerworld.