Microsoft starts the new Project Spartan Bug Bounty Program (22 April - 22 June)

Microsoft starts the Project Spartan Bug Bounty Program

Microsoft announced the startup of a new bug bounty program "Project Spartan" on Wednesday (22 April). The security project spartan extends the still active microsoft online service bug bounty programs.

The new codename is in used for the new microsoft browser in windows 10 technical preview and the azure cloud platform. The new bug bounty program covers the following services ...

- Azure Cloud Services

- Azure Virtual Machines

- Azure Active Directory

- Azure Storage

The bug bounty payment range is set between 500$ and 15.000$ to reward a researcher for a valid submission.

David B. Cross, Engineering Director at Azure Security, announced in a blog post. “With the addition of Azure to the Microsoft Online Services Bug Bounty Program, customers now have the ability to perform targeted security vulnerability assessments of the Azure platform itself. If issues are identified that meet the eligibility requirements, the finder can be rewarded for their work that helps makes Azure a more secure platform for all,”

As for the Project Spartan bug bounty, securing the platform is a top priority for the browser team, Microsoft said. The company is prepared to pay up to $15,000 (USD) for a remote code execution bug, sandbox escape issue or design-level vulnerabilities.


You are eligible to participate in this program if:

  • you are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in this program;
  • you are an individual security researcher participating in your own individual capacity and
  • if you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.


  • A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria;
  • a current employee of Microsoft Corporation or a Microsoft subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • a contingent staff member or vendor employee currently working with Microsoft;
  • a person involved in any part of the administration and execution of this program; or
  • an entity that isn’t an individual person—e.g., companies themselves cannot participate


Vulnerability submissions (“submissions”) provided to Microsoft must meet the following criteria to be eligible for payment:

  • Identify an original and previously unreported vulnerability in Microsoft-branded internet browsers shipping with Windows 10 technical preview. Examples include Remote Code Execution (RCE), Address Space Layout Randomization (ASLR) Information Disclosure Vulnerabilities, and Sandbox Escape Vulnerabilities.
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)

Note: Microsoft may reject any submission, that it determines (in its sole discretion) does not meet these criteria.

Please do not forget to remember the active set dead-line (begin 22 April 2015 - end 22 June 2015)



Rate this article: 
Average: 5 (5 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.