Hackers Can Now Earn $20,000 by Finding Security Bugs in Xbox Live

Microsoft announced a range of financial rewards for cybersecurity researchers who uncover and responsibly disclose unknown vulnerabilities in Xbox Live.

The online gaming network, which lets players connect to multiplayer services and download games, is now the focus of a new "bug bounty" program, it confirmed this week. Submissions that prove eligible can earn hackers between $500 and $20,000, Microsoft said.

The top prize listed to date is reserved for a critical "remote code execution." Left unchecked, this has the potential to give a malicious hacker access to the network.

"Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service," Chloé Brown, program manager for the Microsoft Security Response Center (MSRC) wrote in a blog post this week.

"The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers," Brown continued.

"Bounty programs are a valuable approach which combine with ongoing internal testing, private programs and knowledge shared by partners to produce a secure ecosystem to play in."

Currently, Microsoft is limiting the scope of the program to Xbox Live network and services, stressing a number of vulnerabilities will not be considered for the financial rewards. These include Denial of Service (DoS) issues, URL redirects and flaws in Mixer, GamePass, xCloud, Xbox.com.

Alongside rival platform PlayStation, Xbox Live suffered a major outage on Christmas Day in 2014 that was reportedly linked to a DoS attack, which works by overwhelming a network with traffic. The cyberattack was linked to people claiming links to a group known as "Lizard Squad."

The Xbox Live network was wiped out for about 24 hours and left many games unplayable at a time of peak interest, The Guardian reported at the time.

A lot of modern games require a full internet connection to work, with popular titles like Call of Duty, Fortnite and Apex Legends largely based around an online-multiplayer component.

For now, Microsoft lists vulnerabilities as: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Tampering.

To be eligible for money, submissions must include evidence of a previously unreported vulnerability that works with the latest, fully patched version of Xbox Live. They must also include clear and reproducible steps in writing or video format, so the bug can be checked.

Microsoft said this week that higher payouts would potentially be possible at the firm's discretion and based on the bug report's "quality and vulnerability impact."

"Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix," it noted.

Microsoft warns hackers against DoS tests, accessing sensitive Xbox user data or using phishing or social engineering attacks against Microsoft employees or customers. It notes: "Microsoft reserves the right to respond to any actions on its networks that appear to be malicious."

Microsoft runs similar bug programs for other products, including its suite of cloud services. Sony, which owns PlayStation, manages a vulnerability disclosure program via HackerOne.

Xbox controller
A detailed view of an Xbox One controller during day one of the 2019 ePremier League Finals at Gfinity Arena on March 28, 2019 in London, England. Alex Pantling/Getty