Microsoft introduced a brand new AI bounty program centered on the AI-driven Bing expertise, with rewards reaching $15,000.
With the AI-powered Bing expertise as the primary in-scope product for the brand new bug bounty program, safety researchers can submit vulnerabilities discovered within the following listing of eligible providers and merchandise:
- AI-powered Bing experiences on bing.com in Browser (All main distributors are supported, together with Bing Chat, Bing Chat for Enterprise, and Bing Picture Creator)
- AI-powered Bing integration in Microsoft Edge (Home windows), together with Bing Chat for Enterprise
- AI-powered Bing integration within the Microsoft Begin Software (iOS and Android)
- AI-powered Bing integration within the Skype Cellular Software (iOS and Android)
“The Microsoft AI bounty program invitations safety researchers from throughout the globe to find vulnerabilities within the new, progressive, AI-powered Bing expertise. Certified submissions are eligible for bounty rewards from $2,000 to $15,000 USD,” Microsoft explains on the AI bounty program’s web site.
“Submissions figuring out vulnerabilities in Bing associated on-line providers shall be thought-about underneath the M365 Bounty Program. All submissions are reviewed for bounty eligibility, so don’t fret for those who aren’t positive the place your submission matches.”
| Vulnerability sort | Report high quality | Severity | |||
| Vital | Essential | Reasonable | Low | ||
| Inference Manipulation | Excessive Medium Low | $15,000 $10,000 $6,000 | $6,000 $3,000 $2,000 | $0 | $0 |
| Mannequin Manipulation | Excessive Medium Low | $15,000 $10,000 $6,000 | $6,000 $3,000 $2,000 | $0 | $0 |
| Inferential Data Disclosure | Excessive Medium Low | $15,000 $10,000 $6,000 | $6,000 $3,000 $2,000 | $0 | $0 |
Apart from points outlined in Microsoft’s Vulnerability Severity Classification for AI Techniques, researchers are additionally inspired to report vulnerabilities that end in:
- Altering Bing’s chat habits throughout person boundaries, i.e., altering the AI in ways in which might influence all different customers.
- Adjusting Bing’s chat habits by altering shopper and/or server seen configuration, together with altering debug and have flags.
- Bypassing Bing’s safeguards associated to cross-conversation reminiscence and historical past deletion.
- Disclosing Bing’s inner mechanisms and prompts, decision-making processes, and confidential info.
- Circumventing limitations and guidelines inside Bing’s chat mode classes.
The corporate additionally highlighted an extended listing of points and vulnerability sorts which might be out of scope, together with ones that will solely have an effect on the attacker, some mannequin hallucination assaults, inaccurate or offensive chat responses, and extra.
“Partnering with safety researchers by our bug bounty applications is a necessary a part of Microsoft’s holistic technique to guard clients from safety threats,” mentioned MSRC Technical Program Supervisor Lynn Miyashita.
“We worth our partnership with the worldwide safety analysis neighborhood and are excited to develop our scope to incorporate the AI-powered Bing expertise.”
In a latest bounty year-in-review weblog publish, Microsoft mentioned it paid $13.8 million in rewards to 345 safety researchers worldwide who reported 1,180 vulnerabilities throughout 17 totally different bug bounty applications.
Final yr, the corporate added on-premises Alternate, SharePoint, and Skype for Enterprise to its bug bounty program and elevated the utmost awards for high-impact safety flaws reported by the Microsoft 365 program.
