Microsoft Offers $30K Rewards For Chromium Edge Beta Flaws | Threatpost

Microsoft is calling on researchers to help sniff out any security glitches in the beta version of its new Chromium-based Edge browser before officially pushing it live.

The tech company has been working to build a new version of Edge based on Google’s open-source Chromium code, as opposed to its previous EdgeHTML proprietary browser engine. Now, with the Tuesday release of the beta version of the new browser, Microsoft has also extended its existing Edge bug -bounty program to now include the “Microsoft Edge Insider Bounty,” aimed at whacking any security issues in this latest version.

“We’re excited to expand our bounty programs today to include the next version of Microsoft Edge and continue to grow and strengthen our partnership with the security research community,” Jarek Stanley, senior program manager at Microsoft, said in a Tuesday post.“We welcome researchers to seek out and disclose any high-impact vulnerabilities they may find in the next version of Microsoft Edge, based on Chromium, and offer rewards up to US $30,000 for eligible vulnerabilities in Dev and Beta channels.”

Researchers can earn between $1,000 up to $30,000 for finding critical or important vulnerabilities in Microsoft Chromium Edge Beta and Dev channels. In-scope flaws include elevation of privilege flaws, remote code execution, information disclosure and other vulnerabilities.

“The goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge which have a direct and demonstrable impact on the security of our customers,” Microsoft said. “Vulnerabilities that reproduce in the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS may be eligible for the Microsoft Edge Insider bounty program. Windows Insider Preview is not required.”

Since Microsoft pulled the plug on the old Edge browser, the new Chromium-based Edge has been in developer testing for the past few months, with the first builds of Chromium Edge becoming available in April, including the Canary and dev versions.

In launching Chromium Edge, Microsoft said it hopes to both align its web platform better with web standards and other Chromium-based browsers: “This will deliver improved compatibility for everyone and create a simpler test-matrix for web developers,” said Windows corporate vice president Joe Belfiore in 2018.

Bounty information.

Previous builds have garnered 1 million downloads and Microsoft has received 140,000 feedback responses, it said on Tuesday.

The first public beta – which is the third and final preview channel to come online before the browser launches – is available for Windows 7, Windows 10 and MacOS.

The company has not said when it will publicly release Chromium Edge, but reports point to late 2019 or early 2020.

A full list of the in-scope vulnerabilities – and subsequent rewards – as well as terms of conditions of the Edge Insider Bounty Program can be found here.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.